Hello and welcome back to Windows Registry Forensics, Course Five, the software hive, an overview of the software hive file. Throughout this course, we will be covering the software hive file. We're going to be talking about devices attached to the system through the USB Bus. We're going to be talking about login information, specifically the last logged-on user. We're going to look at file association, and when I say file association, I mean what program opens what file type, what file type extension? Do your documents open with Word or do they open with Open Office? Do your JPEG open with the Windows Photo Viewer or do you use IrfanView. Wireless network information, we're also going to talk about that. We're going to talk about wireless networks that the device connected to. We're going to be able to see the history of wireless networks that were connected to. We're going to be able to see the last connected, first connected, and other information regarding the wireless networks. We're also going to take a look at the operating system type, and again the install date and time, and talk about why that's important. We're going to look at installed programs and applications. We're going to look at program and application usage. We're also going to look at where the software file is located. The software file is a root key of the hive, HKEY_LOCAL_MACHINE. Way back when when we looked at the live registry using REGEDIT and we looked at the HKEY_LOCAL_MACHINE hive, we were able to see under there, we had the SAM system and software files, and that is where the software file is located. The full path would be C:\Windows\System32\config\Software. If we were looking at it in our image file or on a live box, this is where we would find our software file. In section one, we're going to take a look at some software file subkeys of interest, some subkeys that may be a forensic interest to our investigation. The items we will need for this section are Registry Explorer, Ivan software file, and Decode. The first subkeys we're going to talk about are the user logon information subkeys. And mainly we are talking about identifying the last logged-on user, and that would be Winlogon and LogonUI. The file path to Winlogon is going to be Microsoft\Windows NT\CurrentVersion\Winlogon and this is from within the software file. And with LogonUI, the path would be Microsoft\Windows\CurrentVersion\Authenti- cation\LogonUI. The Windows logon subkey manages the boot process including logging operations, loading the user's profile, and handling some shutdown procedures. The Winlogon subkey can also contain references to the last logged-on user, any illegal notices shown in banners when you logon and also auto logon information. Windows UI subkey displays the last logged-on user. The first walkthrough we're going to do is user logon, and we're going to examine the two subkeys we just talked about. So what we're going to need to do is launch Registry Explorer. Once we've launched Registry Explorer, we would go to File, Load Hive, navigate to our software hive and open, and the hive will load. Now we want to navigate to the first key we talked about, WinLogon. We can use our bookmarks, Common, Winlogon (information related to login). We can see here, we have a key last write time. We also have other information here on the right hand side. LegalNoticeText, we don't have anything there legal caption. But if we did have some type of banner here, it would show. We can see that there's an AutoLogonSID, and we can go ahead and look at it. And the SID that has the Autologon ability is 1001. And we know from our investigation on this computer, the user 1001 is Ivan. And we also see here, our last used username, which is Ivan. So we do have an indication of the last logged-on user. We can see auto logon information. We can see the default user name is Ivan. And if we did have any banners or legal notices, they would be here. Now let's take a look at LogonUI. Again, we can use our bookmarks, Common, LogonUI, which is the last logged-on user. And we look at this key, it also has a key last write time. And we can see that our last logged-on user is the Ivan account, the Ivan profile. We can see again Ivan SID, and read his relative identifier that identifies him on the system, the machine identifier and the issuing authority, like we talked about the SAM file. So we know Ivan is the last logged-on user. We know he has the ability to auto logon. And we can see the last logon date and time with the last write time stamp of LogonUI. Returning to our PowerPoints, we're going to talk about auto start locations next. Now we looked at auto start locations in the NTUSER.DAT file. But like we talked about before, every user on the system does have their own NTUSER.DAT file, and that file contains information specifically related to that particular user. When we are looking at the software file, this is system wide information. So this is going to show us programs that run it startup system wide regardless of what user is logged into the computer. And we also have a Run once subkey, which will show us system wide programs that are set to one runs and then delete. And usually that is program installation or some type of updates. In our next exercise, we're going to take a look at our auto start locations, the run subkey, and the run once subkey. So let's launch Registry Explorer if you closed it, if not, just bring it back up if you minimized it again. Again, we're going to use our bookmarks. Common. And we're going to go to the run key. We notice our path is Microsoft. Windows current version run. Yeah, we can see that. The key does have a last date time stamp, last write time stamp. The and we can see the programs that are set to run at startup system wide. We have Windows defender and we have some VM products here. This is a virtual machine so nothing really nefarious here. And the key just below the run wants is empty. There are no values in that key. Back to our power points. The next sub key that could be a forensic interest to us is printers. Now this is going to show us the installed printers on the system. It's also going to show us a little more information regarding some online accounts. Like one note which does show up under here. So let's go ahead and take a look at the installed printers sub key and again the path to that is Microsoft Windows. To NT current version print and then printers. So let's bring up registry explorer. Now we're going to navigate to the printers sub key. Microsoft. Yeah. Thank you. Windows and T. Current version. Print and printers. And we can see below printers. We have an adobe print to pdf facts. We have some hardware printers. It looks like HP. Xerox. We also have some grids which are actually SIDS and they do have relative identifiers, rids that identify individual users and they relate to one note each of these sub folders. Each of these sub keys also has a last rite, date and time. We can see the name which reflects the SID and the red and one note and identifies back to a specific user. So this shows us one note activity relating back to a specific user. And this can be very important if you're doing some type of intellectual property theft or data exfiltration because one note can be used to copy entire documents in. And if you're using something like Microsoft office 360 or some type of Microsoft online account and you access your one note at your office at work, you could copy company documents Into your one note and then opening at your home and copy them to your own personal computer. So we want to be aware if we're doing a forensic investigation and it involves some type of document theft that we look for. One note and this would be a good place to look. The next thing we're going to cover is installed. Programs and applications. And we're talking about programs that are actually installed on the system. Not all programs and applications need to install. Some can run without installing. We're talking about applications that we would go to the control panel to uninstall. Our first sub key we're going to talk about is the uninstalled sub key and his file path is Microsoft Windows current version Uninstall. And again, this is what you would see when you looked in your control panel under uninstalled. The nice thing about this sub key is there can potentially be programs here that no longer exists on the system and that can be very helpful to us to give us some historical perspective of what was going on in the computer. Another place we can look to see indications of application installation. It's going to be the app X all user store and what we're going to see here is Microsoft applications. They can be used globally and by individual users. So I can install a Microsoft application like Word or Excel and say I want to install it just for this user or I want to install it for all users on the system. So you'll be able to see that in this sub key. But this relates to Microsoft applications. In this walkthrough. We're going to take a look at the uninstalled sub key. We're going to take a look at the all app sub key. We're also going to take a look at the wow 64 32 node sub key. The wow 64 32 node sub key deals with applications that run in a 32 bit mode. Okay. The last write time on this sub key will be the installed date of the program and different programs that are installed here will have different information. Some programs will give us more information than others. Some will contain a version number. Some will show us where the E X E file is located. Some will just show us the path to where the program has been downloaded. It depends on the program, how much information you get, but you can get a lot of information out of this sub key and you're going to see in the file path. If it does give you a file path to where the program is stored or the exit is stored on the system, you're going to see program files x 86 or you're going to see a root directory, a root file path. Either the route to C route to E depending on how many internal drives your system has, but it will usually be a root file path or program files 86. More often, program files 86. And the last thing we're going to talk about when we talk about installed applications is we're going to talk about the Microsoft installer. The Microsoft installer packages. And these are applications installed using the Microsoft installer. And the path to this cub sub key is going to be system route classes, installer products. And again, these will only be applications of programs that were installed using the Microsoft installer. And the name of the sub key is Microsoft installer, MSIP packages. So let's bring back up registry browseer, and let's take a look at these sub keys. Go ahead and collapse your sub keys and the first key we are going to look at as the uninstalled sub key, let's navigate to the path. So we're going to expand the route. We're going to expand Microsoft, we're going to expand Windows, we're going to expand current version and then we're going to expand uninstall. And we see we have some programs listed under here that may look familiar to us, and we have some quids. Looking at the grids under the uninstall key, we can see data. We see that we have libre office installed. We can see the version. We can see the location where the file is. We can see the install source and we can see the display name. We can see where it would be updated, update information. We can see we get information about the program. We can see the uninstalled string. This looks like it's going to be a Microsoft package, visual C plus plus we have another Microsoft package, but we still are seeing the same information. We have a version. We even have an installed date but the installed date should be the last write time of this key. But we do have an installed date here. We have a display name. It's an update for Windows 10. We can see VM ware tools, we can see the version. This even gives us an estimated size in bytes. So as you can see different programs do have different information but most of them will have a version and a file path to where the program is. And some of them will have the source where the program came from. Some of them will have the uninstall string display name. But we can see the install source is coming from download again, this appears to be a Windows update. So we can gain quite a bit of information from here and remember each one of these keys has a like a last write time which should indicate the time it was installed. The next key we're going to look at is going to be the installed applications Microsoft Windows current version, appX appX all users. So we're already in Microsoft Windows current version. We scroll up to the AppX key, expand that key, expand the key just beneath it AppX all users store in here. Again we have individual user relative identifiers along with machine identified as we have Rids and SidS. And this can be very helpful to us. Like I said, these applications can be installed for system wide use or they can be installed for use by a specific user. And beneath the sub key, we see some quids And we can see the path to where the file resides on the system. But these are all going to be some type of Microsoft product Microsoft Software program, our application. And you will be able to see the file path to where the application is. And what's even better is we do have a lot here by user. So if there was a specific user on the system, you were investigating, you could check out what applications specific to that user. The next sub key we're going to take a look at is going to be the Wow 64 32 sub key. And we're going to want to go and collapse Our sub keys and the wow 64 32 node is right here off of the route. So this is directly off of the route. And underneath here we can see programs that run in a 32 bit mode. But we are able to get quite a bit of information from some of these programs and we can also get the installed date and time in the last right time stamp of each sub key. We see the program name, if we look further down, we can see the file path to the executable. We can see the version, We can see google drive, we can see the installation location and we can see the native proxy installation location. Also have a Mozilla five folder here. And we can see that that is Thunderbird, and we know that Thunderbird is an encrypted mail client, email client. We can see That we have a version and versions can be very important when you're investigating something. You're going to need to do some research on how the versions act because different versions. Of things like web browsers, email applications, change the way they store data all the time. So you want to make sure you know where that particular version of that application keeps things like its history, its favorites. If we look under main, if we look under the main sub key, so we drill down Mozilla, Mozilla Thunderbird 52.2.0. Which is the version, and into the main sub folder. We can see the install directory and we can see the path to the executable. So we know where this installed and it's where we expect something like this to install because it is a 32 bit application. So it would be in program files 86 or at the root of C. But we can see here where it is and where the executable file is. So this would be the install directory. This is where the program was installed to and this is the path to the executable. It also has an uninstall, can see VMware tools. It has an install path. You can see we have an upgrade helper for updates. And it is active with a flag of one. You can see we have a Dropbox updater. And again we can see the path to Dropbox. We can see the version number. So from this sub key we can get things like installed path, which maybe downloads or another path. But a lot of times you're going to see downloads. We can see a path to where the file resides now. We can see a path to the executable, And we can see the name of the program along with the version number in many cases. Now, let's take a look at the Microsoft installer, MSI packages sub key. And that's going to be again off of the root of software. Let's go ahead and close up the WOW64 and now off of the root of software, we're going to go to software classes. And we're going to talk about classes shortly but for right now we're just going to look at the MSI Installer package. So from software route classes we're going to go to installer, we're going to expand the installer sub key. From there we're going to go to products, we're going to expand the products sub key. And we are going to see some grids again. And when we look at these grids, we're going to see some familiar stuff. We saw FTK image or access to FTK imager. We can see a version, we can again see the path and the version. We can see the last write time stamp of each of these keys, which would be when the program was installed or changed in some way. The same thing we have a Dropbox update helper. We can see the version and [INAUDIBLE] Download are installed our last update time. You'll see a lot of Microsoft type programs here. But you will see stuff like VMware tools, anything that was installed using the Microsoft installer. The MSI packages installer. So we can scroll through we see Libre Office was installed with that. Some update helpers C++, Windows 10 updates. So not too much really catching our fancy here. Maybe the 50 K image there might a little bit, Looks like somebody does use Dropbox. You would want to take a look at that and other places within the registry and out on the system. Now let's go back to our power point again. We talked about this, installed Microsoft applications and they can either be globally or for an individual user. And usually when you install this software, it'll ask you whether or not you want to make it available for this user only are all users on the system. We already took a look at this. The other type we're going to talk about are programs and file type association. Programs and file type association is another thing we will find in the software file. We're going to take a look at two subkeys here that relate to this file association. The big one of course is the classes subkey. It is so big, it has its own H key, high key. And we're going to take a look at the Applets subkey too. And Applets are little built in programs or applications that come with Windows like notepad, Paint, sticky notes it's something that comes as part of your standard Windows install. Classes it's going to be software route classes. It is right off the route and it is going to show us file association for all different file types by extension. And we'll see that in just a minute. So we're going to go ahead and bring up registry browser again. And we're going to take a look at these two subkeys the Applets subkey and the classes subkey. Applets are applications built into Windows. Classes are installed applications. And classes shows us file association meaning what type of software runs or opens what type of file. So let's go ahead and bring back up registry browser and let's go ahead collapse all our subkeys. And the first thing we're going to look at is classes and this is directly off the route. So you would open off You open up the route. It opened up classes and we open up classes, we see several file extensions, like many of them. And what this is is when you're on your computer, if you haven't assigned to program something to open with or windows doesn't know what to open it with. It's going to give you that open with dialog box where you can pick from a few programs. Let's just take DLC X for example, see this open with list. This is going to be the programs you could pick from. This just has won its word pad dot txt. So this is what windows is telling you. It's saying, hey, pick 1 of these programs, it can open this type of file. But when we look at this open with Prague, I'd say this is the program the user chose to open this file with. This is user selected. And when we look at that we see that it's liber office docks. So the important takeaway from here is you have the opens with lists which are suggestions from windows on what you could use to open this type of program. And then you have our opens with Prague IEDs, which means that the user selected that particular program to open that particular file. Last sub key we're going to look at here is our operating system install date and time and the release ID. It's very Important that we pay attention to the release idea, especially in windows 10 because there are differences between releases. We're going to see in a second. The sub key name, this current version, it's the location is Microsoft Windows Nt current version. And this contains operating system install and some information. So let's go ahead and bring registry explorer back up and take a look at that. We can go to bookmarks common and we can go to current version and we can see where we are down here, Microsoft Windows current version. We can see this key does have a last write, date and time, it does have quite a bit of sub keys beneath it. But what we want to see here is we want to see what's going on with our file system. Let's make sure in Windows and T current version Windows and T current version. And we can see here the addition is professional. We have a bill number, we have a version number, we have an installed date. And of course this is going to be unique numeric and we could go ahead and copy value data can bring up decode when you go ahead and paste that in there. And this is a unique numeric value. So we're going to want to decode it UNIX numeric for the date and time format, hit the code. And here we have Saturday 18 March 2000 17 at 0401 20 UTC universal time coordinated. So that is our system install date, couple things about system installed dates and investigations. If I'm doing a peer to peer type investigation where I've been receiving files, bad files from a specific IP address and I go through all the work I go through the process. I serve preservation request I survey search warrant to get the account subscriber information I do all that like get it. And then I do another search warrant to go ahead and hit the house and I do that. And when I do that joe jones over there as is harder I buried in the yard somewhere or smashed with him or or something of that nature. So you want to make sure that your internet service providers are not notifying your suspects? Another thing you may see less subtle, more subtle than somebody destroying the computer is somebody will try to cover their tracks. And I've I've actually dealt with this a couple times. They'll try to cover their tracks by reinstalling Windows, they think that's going to get rid of everything. Well, it does not get rid of everything in the registry if I reinstall Windows, if I have Windows 7 and I reinstall Windows 7 on top of Windows 7 or even 10. If I install if I upgrade, install 10, I am going to get these files in my registry called Windows old and what they are is they're old backups of my old registry files. So we can always use those to go through if we're seeing that are installed date was yesterday or today or somewhere very recent. When we know we're probably not going to get a lot out of this registry without going to the Windows old folders. That is a little bit beyond the scope of this class. But I just wanted to make you aware of it in our next course, we're going to talk about wireless networks that the computer has connected to, we're going to look at that. We're also going to talk about Internet browsers and the default installed browser and the rest of the browsers that are installed on the system.
