🔬
CTFs
  • 🚩nitrozeus's CTF Writeups
  • Tutorial
    • Install Windows 10 VM on M1 Mac
  • My Notes
    • Capture-The-Flag
      • Windows Forensics
      • Memory Forensics
      • Base32, Base64
      • Steganography
      • Email Analysis
      • Malware Analysis
      • MD4, MD5 Cracking
      • Social Engineering
      • OSINT
      • Google Dorking
      • Reconnaissance
      • Port Scan (nmap)
  • 2023
    • 🧠BrainHack CDDC 2023
      • Gallery
      • Eazy Network Analysis
      • What the hell happened to the PC?!
      • Audio Steganography
  • 2022
    • 🐱Grey Cat The Flag 2022
      • Parcel
      • Memory Game (Part 1)
      • Too Fast
      • Entry
      • Ghost
      • Firmware
      • Image Upload
      • flappy-js
    • ⛵STANDCON 2022
      • I Sea You (Part 1)
      • Locate Me
      • I Sea You (Part 2)
      • Trolley Trolling
      • A New Gateway
      • Walks like a cat, barks like a dog
      • Shark in the Ocean
      • Atlan Safe P1
      • Gift from Russia
      • Asmuth Shares
      • Memedump
      • Warmup Forensics
    • 🦁STACK the Flags 2022
      • Finding Nyan
      • New Task!
      • Hit you with that
      • Cobalt Struck
      • PyRunner
Powered by GitBook
On this page
  • Registry Hives
  • Acquire Registry Data
  • Explore Registry Data
  • System Information
  1. My Notes
  2. Capture-The-Flag

Windows Forensics

windoooows

PreviousCapture-The-FlagNextMemory Forensics

Last updated 2 years ago

Registry Hives

A is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

Registry Editor

You can find registry key in the Registry Editor.

  1. Open Registry Editor

    • Push Windows key + R key to open a prompt and type "regedit" to open Registry Editor.

    • In Registry Editor, right-click on the value of the left pane and click.

  2. Default Location of Registry Hives

    • Located in C:\Windows\System32\config

      • DEFAULT (mounted on HKEY_USERS\DEFAULT)

        • HKEY_USERS\.DEFAULT is not the default user profile (i.e. the profile used as the default settings for a user who logs in and does not have an existing profile).

          • It is the profile for the LOCALSYSTEM account. It is an alias for HKEY_USERS\S-1-5-18.

        • The registry settings used as the default settings for a user who logs in and does not have an existing profile are at C:\Users\Default\ntuser.dat.

      • SAM (mounted on HKEY_LOCAL_MACHINE\SAM)

        • The Security Account Manager (SAM) is a particular registry hive that stores credentials and account information for local users.

        • Examiners can also learn to interpret username information including the users’ login dates, times and login count.

      • SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)

        • This database contains local system security policy settings which controls, among others;

          • which are trusted to authenticate

          • which users are allowed to access the system

          • on what channels these users are allowed to access the system (interactive, network, service logons)

          • which are assigned to a user

          • how users are audited

          • logon information for cached domain logons and logons

      • SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)

        • It stores configuration information of various programs installed on the computer.

      • SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)

        • It contains information such as the device drivers that are installed on the system, the system's hardware configuration, and the SIDs for local user accounts.

  3. Alternative Hives

    • The other registry hives are located in C:\Users<username>.

    • Note that these hives are hidden files.

      • NTUSER.DAT (mounted on HKEY_CURRENT_USER) - located in C:\Users\username\

      • USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES) - located in C:\Users\username\AppData\Local\Microsoft\Windows

  4. Amcache Hive

    • This hive stores the information on programs that were recently run on the system.

      • Amcache Hive is located in C:\Windows\appcompat\Programs\Amcache.hve.

Acquire Registry Data

Explore Registry Data

System Information

  • OS Version

    • The location is HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion.

hive
domains
logon attempts
privileges
service
Autopsy
FTK Imager
KAPE
Registry Viewer
RegRipper
:(