Hello and welcome back to Windows Registry Forensics Core 6, the system file, the system hive file contains configuration and setting information about the system and devices that have been attached to the system, like USB or other types of portable devices also contains information about programs and services that are started by the system. These are auto start type programs that are started by the system, sometimes with little or no interaction from the user and the user may not even be aware they're running. The system is located within the file system at C, Windows system 32 con-fig and then we'll see the system file. The system file is a root key of the HKEY_LOCAL _MACHINE_HIVE. As we saw when we looked at Raj edit on the live machine, we're going to cover system settings, configurations, running services, devices like USB, devices that are attached to the system. We're going to take a look at the windows prefetch parameters, we're going to look at shim cash and app compact cash. They are the same thing but they have two different names that you'll hear them commonly referred to and we're also going to look at BAM, the background activities monitor. We're going to go ahead and download some tools. So we're going to go to our explorer or Chrome or whatever browser type you use and we're going to go back out to Zimmerman tools are Zimmerman tools and we're going to download the Am-cache parser, if you simply click, you can download the Am-cache parser. We're going to download the AppCompaqCashParser and you can see right here says aka shim cash parser. We're also going to download one more tool in call TimelineExplorer. Go ahead and download those tools. In section one of this course, we are going to talk about system file that are sub-keys of forensic interests. We're going to cover several sub-keys within the system file that are of forensic interest to us. This is a list of what we're going to cover in section 1 of course six. We're going to talk about determining the current control set, that's the current control set at the time the computer was running last. We're going to take a look at the computer name, we're going to take a look at the last shutdown time. We're going to look at the crash dump settings and where they're located. We're going to take a look at services set to run and those are those services that are started by the system itself, not by the user. We're going to look at the setting for whether or not the page file is cleared when the computer is shut down. We're going to look at the prefetch settings, whether or not we are getting prefetching and we're going to take a look at the last access file time settings, whether our firewall last access times are being tracked or not, there's a setting for that in the registry, that will tell us whether or not last access file timestamps are being updated. We are going to take a look at all those keys. First, we're going to talk about determining the current control set and you can see here on the slide Microsoft states that a control set contains system configure information such as device drivers and services. How we're going to determine that as we're going to look at the select key. The select key is how are we going to determine that and the current value in the select key and we look at select key, we're going to look at the value name current and that's going to give us the number of our current control set. When we look at a live running machine, a live running computer system, you're going to see at least two control sets, it's possible you may see more than two, but there will be at least two control sets and we need to determine which is the current one so that we're looking at the most current controls set we are examining the computer. That is not to say that you don't need to look at both of them because you may want some historical information or there may be something in there that you're looking for specifically. But we do want to be able to determine what was the current control set and to do that, we're going to examine the select key. The location of that is it's right off the root and it's named select. The next key we're going to take a look at is going to be the computer name. Now the computer name can be something that a user gives their own computer when they go through the setup and the installation, or it can be a computer name that it came with from the factory. The computer name may or may not tell us very much, but we at least want to know that because you want to be able to document that new report. Because if you're dealing with, say, a large intrusion, you're dealing with a large incident response and you're dealing with several computers, you don't want to start getting confused on one information came from where. You definitely want to document your computer names and we want to know where to find that information. The sub key is going to be named simply computer name, which makes things easy for us. The location is going to be control set 1 or your current control set control, and then the computer name. Where we're going to find that name is when we look at the value name, we're going to see computer name as the value name we want to look for, and that will tell us the name of the computer. We're also going to look at a sub key called memory management. Now, memory management is going to tell us whether or not the page file is being cleared, it shut down. If we wanted to do some examination into the page file, because the page file is where some memory information, some RAM information may be written to the hard disk. If you have maxed out your RAM, sometimes you're using your page file, it's a swap file, and your system will put things into this page file that you're not actively using, but you have up in memory to allow for more space for new things to be put into memory. If your page file is being cleared, it shut down, we do want to know. If we see a zero in that value data, that means that the page file is not being cleared. If we see a one in the data, that means the page file is being cleared, it shut down, and that would be something we would want to know. Service subkey. The service subkey is going to list a lot of services that are being run, services programs that are being run when the system is booted, and this is on a possible location for a persistent malware. Because like I said, these run without interaction from the user, usually, they run without you even knowing they're running. If somebody was going to put some type of malware on the system and wanted to be sure that it was persistent, in other words, every time the computer rebooted it restarted, this would be a good place to put it, and it would run with very high permissions because this is run by the system, not by the actual user. We're going to take it in depth looked at services as we go through our exercise. But for now, I wanted to show you what that subkey is going to look like. You can see underneath it, we have all the different services listed, and the location would be control set 1 services. It's right off of the root of the control set, and that would be current control set. The values we care about in the services subkey are going to be the image path. This leads to the executable file, or it may lead to svchost.exe. We're going to talk about what we do when it does lead there. But we're also going to look at the display name subkey, which is going to show us the display name of the program that is running, and we're going to look at the start subkey, which is going to tell us how this program starts. Whether it starts at boot, whether there's a condition that must be met, or whether it's disabled. This is what the services values are going to look like. We're going to have our image path, which is going to give us the path to where this executable is running from. We're going to have our display name, which is going to give us the name of the executable or other dll, dynamic-link library that it's running from, and we're going to have a value in that Start column. We're going to talk about what that three means very shortly. There's also a subkey beneath the service's subkey called the parameter subkey. When we look at the value serviceDLL, this will give us the path in the name of the deal that is being executed. So if you came back to that svchost.exe, but you weren't sure what exactly was being run there, what exactly was being access from there, parameters is where we look next. We can see we have a service of app management and then we have our parameters subkey. Our parameters subkey will give us the serviceDLL that is being executed. We're also going to take a look at the glassed shutdown time, the last shutdown time in Windows. This is going to tell us simply when the computer was last shutdown. The time format is going to be 64-bit little-endian. This means the computer actually went through the shutdown process though. If you pulled the plug from the back of the computer, you're not going to see that time recorded because the computer did not go through the shutdown process. This is the last time the computer actually went through the shutdown process and will shut down properly. We can see the time value. As you see up top, shutdown time, we see our eight bits of hex. When we decode those eight bits of hex, like we said, we use the 64-bit hex value, little-endian, and we get a date and time there, January 30th. If we look at the last write timestamp of that Sub-key, we can see that they match crash dump settings. When your computer crashes, a dump file is created. The location for the CrashControl key is going to be the ControlSet, Control, CrushControl. The value names we're going to look at are Dumpfile, Minidump directory. These two directories and file will give us the location of where the dump file resides. The directory is the Minidump directory and the file is actually the dump file. If we were to look on our computer, it's at the root of c Windows. We see a directory called Minidump. If we open the folder directory Minidump, we can see our dump file and we can see the date and time. The type of file, it is a dump file. We could analyze that with other tools. We're also going to talk and take a look at prefetch perimeters and we'll talk a little bit about what Windows prefetch is. The sub key is PrefetchParameters, the location of the sub-key, it's under memory management, PrefetchParameters. Now we're going to have some values in here. A zero means that the prefetch is disabled. If we have a one in the values column, that means it's enabled for application launching. If we have a two, that means it's boot process prefetching and if we have a three, it would be both boot process and application launching prefetching is enabled. Prefetch monitors applications and files as they're being launched. It records the loading order of the files so they can be retrieved the next time the application or file is access. This information is stored in something called the.PF file. These.PF files are located within the file system at C Windows Prefetch. You'll see the directory there and within that directory will be the.PF files. The next time the application is launched or the file is opened, Prefetch will speed up the process by loading the necessary files. We're also going to take a look at whether or not our last accessed timestamp is enabled or disabled. Starting with Windows Vista it is disabled by default. When we looked at the value and we can see the value dame down there, NTFS disabled last access update. If we have a one there, that means is disabled. If we have a zero that means it's enabled. But if you're looking at anything Windows Vista or above, somebody would have to go in there and change that to enabled because it is disabled by default. When we're talking about the last access times, we're not talking about these three file times that we're going to see. You're going to see the date created, modified, and accessed. They're often referred to as MAC file times, modified access created. The one that is not being update is the access time. The modified time is still going to be updated. The creation time will still be there. There's also another file time which deals with the master file table and that's MFT update, master file table update and that file time just means there was some change in that master file table entry. Without further ado we're going to go through our walk-through. During the walk-through, we're going to go ahead and we're going to determine the current control set. We're going to find the computer name. We're going to find the lush shutdown time. We're going to look at the crash dump settings and location. We're going to take a look at services and talk a little more about that. We're going to look at whether or not our page file is being cleared at shut down, what are prefetch settings are, and what our last access file time settings are. Let's go ahead and bring up Registry Explorer. If you have not done so already, go ahead and load the Ivan image file, which should go ahead, load hive. Navigate out to where you have saved the system file that we exported from the Ivan image. Once you've done that, go ahead and click "Open" and the file will load. The first key we're going to look at is the "Select" key. Because the first thing we're going to do is determine which is our current control set. The "Select" key, is right off of the ROOT. We're going to expand F, or whatever your drive letter is here, you're going to expand ROOT. Now we're going to take a look at the Select key. We can see when we check the value Current, we see that it's one. This tells us that our current control set is one. In this is the control set that was loaded when the system was running, so that is why it's important to know that. Once we've determined our current control set, we're going to go ahead and look at the computer name. We'll expand the "CurrentcontrolSet". We'll expand "Control", and now we're going to look for the "ComputerName". We're going to expand the "ComputerName", and we're going to highlight the sub-folder Computer name. We can see we have a last right date and time here, it's probably going to be very close to our installed date, and we could see what the computer name was. You would definitely want to go ahead and document this computer name for your report. This is going to become especially important if you're examining multiple computers in relation to the same case. Things can get really confusing if you don't make sure you document your computer name. The next sub key we're going to look at, is the "LastshutdownTime" key. This is going to be the time that the computer was last shutdown properly, went through a complete shutdown. We're going to find that is in ControlSet001, which is our current "ControlSet", we determined that in the beginning. "Control", and we're going to look at the "Windows" key. We find the Windows key, and we're going to look at shutdown time. As we saw earlier in the slides, this value here, this eight bytes of data, which are read as 64-bit little-endian, are going to be the same as our last right time on our sub key. If we did just want to double-check that, you go ahead and use DCODE. You don't have to follow me through, I'm just showing you when to decode those, you get the same date and time that we have in our last right date and time. January 30th, 2020, 17: 36: 40, and this is 41. We have a little bit of a difference that can be a right thing. But we have the date and time correlation. The next sub key we're going to look at, is going to be "Crashed Control", our crashed drop settings. We're going to be in "ControlSet001", our current control set which we are in, we are going to be in "Control", and now we're going to look for crash dump settings, "CrashControl". As we highlight CrashControl, we can see up here as we look at the value of where the dump files located, and what it's named. We can see it's at the "SystemRout", and it's named MEMORY_DMP. We can see it's within a directory called Mini _Dump. We can see that is located off the SystemRout, and that's the same thing we saw when we looked at the slides of an actual computer, a natural learning computer. We could use some memory tools like volatility, or other tools of your choice to examine this "DumpFile" for more information. But we want to know where it is, and that it does exist. Now we're going to take a look at "Services" which are also going to be in our "CurrentControls", that which we determined was "ControlSet001", and we're going to look at "Services". Now, what's really nice about this tool, as it does give us pretty much everything we need to know right here. But let's just take a look from the beginning here, we do have the "Services" key and we have a last right time. As we saw in the slide, which was an actual slide from this Ivan computer. We see we have all the services listed down below. If you look through the "Services", you will see the "DisplayName". You'll see the Type, and you'll see the Start. Also beneath that we see the Parameters sub key. In this particular one, we don't have anything, but because this is taking us right to the dill file. But if we were to look at one, that comes back to SVC host, you know you can have a lot of SVC hosts running on your computer at the same time. Then we'd want to look in the parameters sub key to find the actual dill or executable that's being run there. Now, going back to the top here. What you would want to do and the reason we downloaded Timeline Explorer, is you would go ahead and you can export this to a CSV file. You can export this and save this out on your computer as a CSV file. Once you do that, you can put it into Timeline Explorer by just going File, Open and navigating out to where you saved it, clicking on it and clicking "Open". Now we look at the services value, will get our key last right time. It also gives us the parameter sub key, last right time. We have a group, we have an image path which shows us where this executable is located and what it is, what it's named. We also have a service dill, if there is one required. Some of them have them, a lot of them do not. But you also going to see something very interesting here, is the required privileges. It's going to tell you, what privileges are needed to make changes to these programs, to make changes to these executables. That might be very important, especially if you're looking at some type of an intrusion of malware case. We do have quite a bit of information in here. We have the key last right time, we have the service, and here's the Start mode. It just tells us what the Start mode is. Whether it's disabled, it's manual. In other words, it takes some type of action to be started, whether it happens on boot or whether it's automatic. We can have four possibilities on there. It can be disabled. It could need to be started manually meaning some action must occur from the user to start this, the user may not know that that action is starting the program though. It could happen when the computer boots or it can happen automatically when the computer is through the boot process. If you were doing an incident response, you'd want to take a look through here and see what's going on, see if there's something in here that doesn't look right. Maybe doesn't have a description or maybe the file path you're expecting to see if certain things isn't going where it's supposed to go. Like if you know, a certain program always runs from system 32 or from root and you see that it's, like EventLogs. We know where they're supposed to be going from. If we have something called the vet log or maybe spelled slightly different, that's another trick used a lot of times. It's not quite following the same file path that you'd expect to see, then maybe there's something not quite right. This would be one of those file services that if you were doing an incident response type of case, you would want to examine carefully to see what was going on and to see how these are set to run. What type they are. Their key and parameters keys are important. The groups where they are, their paths and the permissions, and any service still that might be running also. This would be something you'd have to look at. But whenever you're doing some type of investigation like that, you need to know the baseline of what you're looking at so you can tell what doesn't belong. If we have the start value, let me just take a look at the start values one more time. We'll go ahead and minimize this. If we do have a start value, I'm just going to pick one of them out. That's the start of zero. Zero starts at boot. If you have a start value of zero, this program is starting at boot. If you have a start value of hex 04 or 4, it is disabled. If you have a start value of 2, that is an indication that the service is auto loaded, it runs automatically. A start value of 3, means it's set to start manually, meaning that the user must do something or take some action for the service to be started. Like I said, the user may not know that, especially if it's some malware trap. They might not realize that maybe the printing function or maybe shutting down or maybe logging off or logging in or there may be some function that makes this particular program auto-start, that is an action that the user must take but that does not necessarily mean that the user is aware that that action is going to trigger this program. Just keep that in mind too when you're looking at it. Remember also that you do have that nice master sheet that does go ahead and show us everything. Can have our names, descriptions, paths, values, how they're set to run, dates, the perimeter sub key date, groups and permissions. A lot of information here definitely worth exporting, definitely worth putting into timeline explorer to take a look at. The next sub key we're going to go ahead and look at, is our page file cluttered shut down. We're going to take a look at memory management. The path to memory management, is we are again in our current control set, which we determined was control set one. We're going to take a look at sessions this time, memory management. Our complete file path is going to be control set one, control sessions manager memory management. We're looking at memory management and the value we're interested in is, clear page file at shutdown, which is going to be this value name right here. We can see it's set to zero. Our page file is not being cleared at shutdown. If that were a one, the page file would be being cleared and shut down. The next key we're going to look at is called pre-fetch perimeters. This is going to tell us our settings for pre-fetch. If we expand memory management, directly under there we see pre-fetch perimeters. Now the values we're going to take a look at, is we're going to take a look at that enable pre-fetcher. We talked about we can have a zero,a one, a two or three there. A zero would mean that pre-fetching was disabled. A one would mean that it would only apply to application launching. A two would mean it would be boot pre-fetching only is enabled. A three would indicate that both boot and application launch pre-fetching is enabled and we have a three. That would mean that both of those pre-fetching is enabled. We did talk about what pre-fetching was. It monitors applications and files as they're launched and it records the loading order of the files, so they can be quickly retrieved the next time the application of file is access. It's stored in those dot PDF files. They are located out on the file system at C Windows in the pre-fetch folder. The next time the application is launched or the files opens, pre-fetch speeds up the process by loading the necessary files. Now pre-fetch itself, is not located within the registry but you're going to care about the settings of pre-fetch. At why we're going to care about the pre-fetch settings. Pre-fetch is going to tell us a lot. It's going to tell us the time run and the application run. Now I exported a patch pre-fetch with another tool from Eric Zimmerman which is called P-E-C-C-M-D. It is a command line tool. This is a little bit outside the scope of an actual registry class because we're talking about the file system and we're looking at items located outside of the registry and the file system. But I wanted you to just get an idea of the amount of information that is held in pre-fetch. We can see these run times. You'll also get two outputs, two CSV outputs here. The other one is going to give us even more information, is going to give us the source file name, the modified access, the executable name, a hash value, the version of Windows, a writing account, and a last run. We are going to talks about the volume name, which volume you're in, but it's talking about whether you're in partition one or two, pretty much, as far as volume and partition interchangeable words, but just wanted you to know. But you could see the executable name, exactly which EXE we're talking about. You can see Task Manager, you can see VMware. What is really great as we have a hash, if we had a bad file in there or something that was not supposed to be running it now, we'd be able to check it out with a hash. You can see the snipping tools in here. But we could see that might be important if you're doing a intellectual property case, data exfiltration, somebody's using the snipping tool to take screenshots of company property and either emailing it to themselves or inserting it into a document and emailing it to themselves. There's a lot of using OneNote. You could take that screenshot, put it in OneNote, and get it out of there. There's a lot of ways and a lot of things you're going to want to be looking at here. But we do have the access, we have the name of the executable, we have a hash value, we have a run count, which is something they use constantly, 23 times might be a lot, might not, depending on somebody's job is, but we do have the last runtime. We can see if it was last run. If it's run 23 times, last run, the day that somebody who has walked out of their office or terminated, that might be important information. Again, this is outside the registry and prefetch, but it is something we can do and would want to start by looking at our prefetch parameters and seeing if prefetch is enabled or not. Because if prefetched, is it not enabled or only enabled on boot, you're not going to get those application specific entries. Our prefetch settings are going to play a big part and what we can get are on the file system in our investigation. The next thing I wanted to look at is those access dates. Are my axis dates being updated or not? We're going to find that is again, current controls that we determined, it was one. We only have one on this particular virtual machine control. Now we're going to look at file system. What we're looking for is NTFS disable last access date update, this would be this value. NTFS disable last access update. It can either be a one or a zero. Now it's on, so the last access date is disabled. The last access date is disabled. If this were a zero, the last access date would be enabled. In Windows Vista and above, this is turned off by default. Now the last access date is pretty much just going to give us another created date timestamp. It was done by Microsoft to improve the speed of the operating system. Even though you're still going to see this called elastic access date if it is not being updated. If this registry setting is the one, don't get caught, that is not the last accessed date. You will still have a modified date. That will tell you if changes were made to the file. But it will not tell you if it was simply accessed. This is applicable in Windows Vista or above by default. If you want to know for sure, this is where we look in the registry to know for sure. In our next section, we're going to talk about devices, specifically USB devices that were attached to the system. We're going to look through the system high file and see where we can find information regarding devices that were attached to the system.
