Windows Forensics - Registry - Advanced Three-Day Instructor-Led Course For more information contact
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Windows Forensics - Registry
Advanced • Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
This advanced Syntricate training course provides the knowledge and skills necessary to use AccessData®
products to conduct forensic investigations on the Microsoft® Windows® registry. Participants will learn where and
how to locate registry artifacts using Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer® and Password
Recovery Toolkit® (PRTK®).
Prerequisites:
This hands-on course is intended for forensic investigators with experience in forensic case work and a basic
working knowledge of FTK, FTK Imager, Registry Viewer, and PRTK. Prior familiarity with the Microsoft Regedit
utility is also helpful.
To obtain the maximum benefit from this course, you should meet the following requirements:
• Able to understand course curriculum presented in English
• Attendance at the AccessData Forensic BootCamp and Windows Forensics course or equivalent
experience with FTK and PRTK
• Previous investigative experience in forensic case work
• Knowledge of Microsoft Windows environment
Class Materials and Software:
You will receive the associated materials prior to the course.
During this three-day course, participants will review the following:
• Use FTK Imager to obtain a clean copy of the Windows registry
• Backup individual registry keys, registry files, and whole registry sets
• Use a Regular Expression to carve registry key names from unallocated space
• Identify and locate potential trace evidence in the regf and hbin blocks
• Use the SAM file to identify system user accounts, user information and properties, user logon password
information, user profiles, and group membership
• Use the SYSTEM file to identify computer name, time zone, last shutdown time, network connections,
and hardware information
• Use the SECURITY file to identify current and archived system passwords, if present.
• Break the SECURITY file passwords in PRTK
• Use the SOFTWARE file to identify USB volume serial numbers in Windows Vista, recycle bin settings,
user profiles, wireless connections, printer information, evidence of uninstalled software, application
restrictions, autologon settings, and cached password settings
• Identify individual application settings such as Internet Explorer (IE) main settings; IE use count; Internet
Account Manager; URL history; IE5 history settings; MSN accounts; mount points and mapped drives;
and FTP site settings
(Continued on other side)
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.Windows Forensics - Registry
Advanced • Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
Module 1: Introduction
(Continued) Module 3: Registry 201
Topics: Objectives:
• Introductions • Define the Windows Registry structure and
• Class materials and software function
• Prerequisites • List Registry issues that can cause
• Class outline problems with individual applications and in
• Helpful Information booting the system
Lab: • List the forensic benefits of the Registry
• Use the Windows registry, rather than Windows • Identify the hives that make up the Registry
Explorer, to configure Explorer settings and list the types of information associated
• Install the following AccessData software: with each hive
o FTK Imager • Identify where the user’s NTUSER.DAT file
o Registry Viewer is located
o PRTK • Identify the standard Registry data types
• Navigate the Registry in regedit32
Module 2: Registry Utilities • Navigate the Registry in Registry Viewer
Objectives: • Define the Registry block structure
• Use Regedit or Regedit32 to view and edit • Identify the seven data structures in the
Registry settings hbin blocks that define the Registry keys,
• List four ways to back up the Registry subkeys, and values
• Backup individual keys and values • Track a subkey to its values
• List four ways to restore .reg files • Recover deleted data in the Registry and
• Create a hive backup Registry slack
• Export Registry keys and values to a text file Lab:
• Create a set of restore points • Compare registry structure in Registry
• Modify subkey permissions Viewer and Regedit
• Export Registry files from FTK • Locate and view registry files in FTK
• Use FTK Imager to harvest live Registry files Imager
• Use Registry Viewer to search Registry values • Navigate through the regf and hbin blocks
• Generate Registry reports in Registry Viewer in the SAM file to locate key values
Lab: • Use FTK Imager to search for a user in the
• Backup the registry using Windows utilities registry via key name
• Create a restore point • Use FTK Imager to search for a value in
• Use FTK Imager to obtain a clean copy of the the registry
workstation’s registry files
• Use Regedit to back up, delete, and restore
subkeys
• Use Regedit to edit subkey permissions
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.Windows Forensics - Registry
Advanced • Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
(Continued)
Module 4: Preliminary Reports Lab:
Objectives: • Navigate the following subkeys in the
• Generate a preliminary case report (PCR) NTUSER.DAT file:
• List the Registry information that should be o Internet Explorer
included in a PCR o Office 2007 MRUs
• Describe how data is added to standard o UserAssist
reports • Viewing TypedURLsTime anomalies
• List the types of information that can be • Use registry data to break a user’s logon
included in summary reports password
• List the benefits of summary reports • Use mount point data and the
Lab: NTUSER.DAT file to determine which user
• Create a Standard Report in Registry Viewer accessed a USB drive
• Create a Summary Report in Registry Viewer • Recover local search terms through
• Create a Summary Report in Registry Viewer Windows 8.1
using wildcards • Associating local searches with the IE
• Create a preliminary report in FTK webcache
Module 5: NTUSER.DAT Artifacts Module 6: SAM Artifacts
Objectives: Objectives:
• Use the following registry components to track • Describe the function of the SAM file
patterns of user behavior: • Describe the Windows management of
o NTUSER.DAT account permissions
o Recently typed URLs in the browser • Describe the components that make up the
o Recently viewed documents Security Identifier (SID)
o Protected storage information that • Describe the components of the Relative
potentially contains Web login names, Identifier (RID)
passwords, form data, and search queries • Identify Registry artifacts associated with
o Internet Explorer information users and groups
o Mount points and mapped drives • Associate users to groups
o Microsoft Office artifacts Lab:
o Office MRUs • Use the SAM file to translate SIDs
o Date and time of file access • Recover user account information from the
o Trusted locations SAM file including Windows 8 Live Accounts
o Resiliency and auto recover • Use the SAM file to break a user’s logon
o Location in file last visited password
o UserAssist • Use the SAM file to recover group
o Uninstalled software information
o Local search terms
o $Recycle.Bin
o BitLocker To Go
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.Windows Forensics - Registry
Advanced • Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
(Continued)
Module 7: SYSTEM Registry File Part 1 Module 8: SYSTEM Registry File Part 2
Objectives: Objectives:
• Identify where the SYSTEM file is located in • USB device tracking
the Registry • USB drive identification through Windows
• Describe the function of the SYSTEM file • Mounted Devices Manager
• List what type of data is stored in the SYTEM file • Date and time drive last mounted
• Identify the four subkeys that make up the • Date and time drive first mounted
SYSTEM control set • Logged on user who inserted device
• Use the SYSTEM file to recover the following • Windows Portable Devices key
information: • Use of link files to identify devices
o The correct time zone setting on a • Identification of USB external drives
Windows XP or Vista machine • Behavior of cameras and other devices
o Whether a Vista system’s default setting • Windows 2000 and XP USB connections
that disables the last accessed date/time • Determining the order of USB drive
has not been turned back on insertion
o The computer name • USB event logs
o The last shutdown time Lab:
o Mounted devices for HDDs • Simulate real world tracking of devices
o Hardware information, including • Track a device from Windows to all of the
floppydisks, hard disk drives, mass available dates and times and associations
storage devices, and printers in Windows 2000, Windows XP, Vista,
o Services available to the system Windows 7 and Windows 8
o How memory is configured, where the • Track device behavior of different devices
swap file is located, and Prefetch settings such as cameras, iPads, iPhones, and other
• Link a USB device to a specific computer devices
Lab: • Viewing Windows event logs for associated
• Use the SYSTEM file to identify time zone devices in Windows Vista, Windows 7 and
information, computer name, and last shutdown Windows 8
time
• Use the SYSTEM file, link files and log files to Module 9: SECURITY Artifacts
identify information on specific USB drives Objectives:
• Use the SYSTEM file to identify a system’s • Identify where the SECURITY file is located
DHCP name server, DHCP IP address, and • Describe the function of the SECURITY file
Hostname • List what type of data is stored in the
registry
• Distinguish between permissions, policies,
and rights
• Identify what types of passwords can be
recovered from the SECURITY file
• Recover cached passwords
Lab:
• Use the SECURITY file to identify
information on a target system
• Use PRTK to recover passwords stored in
the SECURITY file
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.Windows Forensics - Registry
Advanced • Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
(Continued)
Module 10: SOFTWARE Artifacts Module 11: Other Registry Files
Objectives: Objectives:
• Identify where the SOFTWARE file is located in • Use the UsrClass.dat file to recover
the Registry information on launched executables
• Describe the function of the SOFTWARE • Use the Amcache.hve file from Windows 8
file to find the following information on the target
• List what type of data is stored in the system:
SOFTWARE file o Launched executables
• Describe the function of the Vista o Drive information from launched
ReadyBoost feature and identify what binaries
information it stores in the SOFTWARE file o Identification information from
• Use the SOFTWARE file to recover the launched binaries
following information: o Determining use of portable apps
o Evidence of uninstalled software o Checking application compatibility
o Startup locations used to load applications settings by the user
or executable files during the boot process o Check for launched applications in
o The Class Identifiers (CLSIDs) for the event logs
operating system objects such as • Check individual settings.dat application
applications and ActiveX controls registry files in Windows 8 for potential
o The Service Set Identified (SSID) used to artifacts
identify the user’s wireless connections Lab:
o Winlogon and Autologon information • Tracking launched executables in the
o Recycle Bin properties MuiCache (UsrClass.dat)
o Printer information • Following application associations in the
• Create a File Types report in Registry Viewer Windows 8 Amcache.hve registry file
• List the two types of wireless artifacts found in o Documenting launched application
Windows XP details of drive and location
• Identify where wireless artifacts are found in o Drive associations with Mounted
Windows Vista Devices
• Determination of installed Metro Apps o Hash tracking of launched
• Tracking launch of portable applications in executables
Windows 8
Lab:
• Use the SOFTWARE file to identify user
information on a target system such as the last
logged on user and the time the user shut down
the system
• Use the SOFTWARE file to identify uninstalled
software, wireless connections, recycle bin
settings, and printer information
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.You can also read
