F 220: Capturing and Examining the Registry (15 pts)

What You Need

A Windows machine with Autopsy installed.

Typing URLs

Open Internet Explorer. Type in this URL and open the page:

kittenwar.com

Close Internet Explorer.

If your system has Microsoft Edge installed, open it. Type in this URL and open the page:

puppywar.com

Close Edge.

Installing FTK Imager

Open a Web browser and go to

https://accessdata.com/product-download-page

Expand the "FTK Imager" section, as shown below. On the "FTK Imager Version..." line, click the "Download Page" button, as shown below.

Click the "Download Now" button. Fill in the form.

Run the installer file you downloaded. Install the software with the default options.

Note: Using the "Lite" version from a USB stick is a better practice. This project uses the full version for student convenience.

Viewing the Hive Files

Click Start. Type REGEDIT and press Enter. If you see a User Account Control box, click Yes.

In Registry Editor, navigate to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\HiveList

You should see a list of the files that store the Registry, as shown below. For this project, we want to capture those files, and not all the other files on the disk. FTK Imager will make that really easy!

Creating a Registry Image with FTK Imager

Click the Start button and type FTK. Launch "FTK Imager".

In the "AccessData FTK Imager" window, click File, "Obtain Protected Files".

The "Obtain System Files" box opens. Notice the Warning at the top of this box. You are obtaining data from your own computer, not from an evidence image. At least one forensic examiner actually went to court and submitted data accidentally gathered from his own forensic workstation by ignoring this warning.

In the "Obtain System Files" box, click the Browse button and navigate to your desktop. Click the "Make New Folder" button, and name the new folder Registry_Image. Select the Registry_Imagefolder and click OK.

Click the "Password recovery and all registry files" radio button, as shown in the image above. Click OK.

Wait until the process finishes. It should only take a few seconds. Close FTK Imager.

On your desktop, open the Registry_Image folder. It should contain the five files and one folder shown below. You should get used to seeing these names--they are the Hive Files, and a lot of forensics involves working with them.

Showing System Files

In the "RegistryImage" window, click the View tab. Click the Options button.

In the Folder Options box, on the View tab, click the "Show hidden files, folders, and drives" button and clear the "Hide protected operating system files (Recommended)" box, as shown below.

If a "Warning" box pops up, click Yes.

In the "Folder Options" box, click OK.

Analyzing the Registry Image with Autopsy

Launch Autopsy.

Creating a New Case

From the Autopsy menu bar, click the "New Case" button.

Enter a Case Name of Registry.

Click the Next button.

Click the Finish button.

Importing the Registry Image

In the Add Data Source, at step 1. Select Host, click the Next button.

At step 2. Select Data Source Type, click "Logical Files", as shown below.

Click the Next button.

At step 3. Select Data Source, click the Add button. Navigate to your desktop. Click the Registry_Imagefolder and click Select.

Click the Next button.

At step 4. Configure Ingest, click the Next button.

At step 5. Add Data Source, click the Finish button.

Viewing TypedURLs

TypedURLs data is a strong indicator of Web pages the user deliberately visited, although there are some complications in its interpretation, as explained in the "TypedURLs" reference at the end of this project.

In the left pane of Autopsy, at the top, expand "Data Sources". Keep expanding items until you see your username, and click it, as shown below.

In the upper right pane, click NTUSER.DAT. This file contains personalizations made under this user account.

In the lower right pane of Autopsy, navigate to:

ROOT\Software\Microsoft\Internet Explorer\TypedURLs

F 220.1: TypedURLs (10 pts)

Click the TypedURLs folder.

The URLs appear in the lower right pane, as shown below.

Notice that the URL typed into Edge is not present.

The flag is covered by a green rectangle in the image below.

Viewing UserAssist with Registry Viewer

UserAssist data shows programs that a user launched and when. It can also show how many times the program was launched, if you use the special UserAssist tool Didier Stevens made (see the Sources section at the end of this project.)

In the lower right pane of Autopsy, navigate to:

ROOT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
In the lower right pane of Autopsy, click the + sign to expand the UserAssist key.

One or more subkeys with long names consisting of random letters and numbers appear, as shown below.

Expand one of the subkeys and click the Count subkey.

If you see "Number of values: 0", as outlined in red in the image below, try expanding another subkey.

When you find a subkey containing program names, they are unreadable, as shown below.

Believe it or not, these are obfuscated with ROT-13--moving each letter 13 values in the alphabet, an ancient and very weak form of encryption.

You can decrypt them at https://rot13.com/

F 220.2: UserAssist (5 pts)

The flag is covered by a green rectangle in the image below.

Sources

TypedURLs

UserAssist | Didier Stevens

RecentDocs

CurrentControlSet


Posted: 9-29-22