Scribd
Upload
47 views29 pages

Lect 07

This document discusses Windows system artifacts that can be useful for digital forensics investigations, including deleted data, hibernation files, and the registry. It explains how to recover deleted files using tools like FTK and how the hibernation file stores open documents when a system hibernates instead of shutting down. The summary describes the structure and purpose of the registry, how it is acquired for analysis, and what important registry keys and values contain useful forensic evidence like installed programs, USB devices connected, and web browsing history.

Uploaded by

Huynh Ngoc Minh Long (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
47 views29 pages

Lect 07

This document discusses Windows system artifacts that can be useful for digital forensics investigations, including deleted data, hibernation files, and the registry. It explains how to recover deleted files using tools like FTK and how the hibernation file stores open documents when a system hibernates instead of shutting down. The summary describes the structure and purpose of the registry, how it is acquired for analysis, and what important registry keys and values contain useful forensic evidence like installed programs, USB devices connected, and web browsing history.

Uploaded by

Huynh Ngoc Minh Long (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

7.

Windows System Artifacts


Part 1
Topics

 Deleted data
 Hibernation Files
 Registry
Deleted Data
Recovering Deleted Data

 File Carving
 Allocated space contains active data
 Deleted files are in unallocated space
 Useful tools
 ProDiscover

 FTK or EnCase
 Foremost

 Recuva

 Photorec
Hibernation File
Shutdown Options
 Sleep – data kept in RAM
 Power still on
 Documents lost if power fails
 Hibernate – RAM copied to Hiberfil.sys
 Power off
 Documents never lost
 Hybrid Sleep
 Default for Windows 7 desktops
 Puts open documents and programs on disk
 Keeps them in RAM as well for fast wakeup
 Documents not lost if power fails
Enabling Hibernation

 Link Ch 5i
Registry
Not in book, but may be on quizzes and Final Exam
Understanding the Structure of the
Registry

 The registry consists of five root keys


 HKey_Classes_Root
 HKey_Current_User
 HKey_Local_Machine
 HKey_Users
 HKey_Current_Config
 Or HKCR, HKCU,
HKLM, HKU,
and HKCC
Subkeys
 Root keys (sometimes called predefined keys),
contain subkeys
 Subkeys look like folders in Regedit
 HKCU has these top-level subkeys: AppEvents,
Console, Control Panel, …
 A root key and
its subkeys
form a path
 HKCU\Console
Values

 Every Subkey contains


at least one value
 But it may show
(value not set)
 The default value
(often undefined)
 Values have name,
data type, and data
Hives

 A key with all its subkeys and values is


called a hive
 The registry is stored on disk as
several separate hive files
 Hive files are read into memory when
the operating system starts (or when a
new user logs on)
HiveList

 HKLM\System\CurrentControlSet\Control\HiveList
Hardware Hive

 \Registry\Machine\Hardware has no
associated disk file
 Windows 7 creates it fresh each time you
turn your system on
HKCR and HKCU

 These keys are links to items


contained in other root keys
 HKey_Classes_Root (HKCR)
 Merged from keys within HKLM\Software\
Classes and HKU\sid_Classes
 sid is the security identifier of the currently
logged on user
 HKey_Current_User (HKCU)
 HKU\sid
Purpose of Registry

 Database for configuration files


 Registry artifacts are very valuable for
forensics
 Search terms
 Programs run or installed
 Web addresses
 Files recently opened
 USB devices connected
Acquiring the Registry

 FTK Imager
Acquired Files
Reference

 Link Ch 5c
Important Registry Data

 Control Set
 Time Zone
 User Assist
 USB Store
Control Set

 A live Registry has an


important key named
HKLM\System\
CurrentControlSet
 Contains Time Zone,
USBSTOR, and other
information
Control Set
 Acquired image doesn't
contain
CurrentControlSet
 It's ephemeral data—not
stored in the hive files
 To determine which
ControlSet is current,
look in
 System\Select
 In this case,
ControlSet001 is
Current
 Link Ch 5a
Time Zone

 System\ControlSet001\Control\TimeZoneInformation
 Assuming that ControlSet001 is Current
UserAssist
 Shows objects the user has accessed
 To see it, open Users\Username\NTUSER.DAT
 Navigate to Software\Microsoft\Windows\
CurrentVersion\Explorer\UserAssist
UserAssist Decoded in Lower
Left Pane
RegRipper

 Link Ch 5k
Ripped Registry
USBSTOR
 System\ControlSet001\Enum\USBSTOR
 Assuming Current Control Set is 1

You might also like