Sunday, May 19, 2019

Windows 10 Specific Registry Keys

The registry is a fascinating place.
Have seen it written as the heart of the OS where configurations are stored

For reasons as features, user experience, and updates; Windows 10 has made some changes and  additions to the locations of some of its registry locations.

Referencing a wonderful source of registry information from:






DFIR Training site.  "WINDOWS FORENSICS REGISTRY LIST"
https://www.dfir.training/resources/downloads/windows-registry

A list of Windows 10 specific registry keys below:

 App Information
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Microsoftedge\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral 8wekyb3d8b bwe\MicrosoftEdge\Capabilities\FileAssociations

 App Install Date/Time
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.Microsoftedge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_20.10240.16384.0_neut ral 8wekyb3d8bbwe / InstallTime

 Camera App
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.jpg&ls=0&b=0

 Common Dialog
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\.vhd

 Cortana Search
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ FileExts\.com/search?q=

 Cortana Search
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.&input=2&FORM=WNS BOX&cc=US&setlang=en- US&sbts=/ 0

 Disk Class Filter Driver stdcfltn
SYSTEM\ControlSet001\services\ stdcfltn

 Edge Browser Favorites, Edge Favorites
UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\/ Order

 Edge History Days to Keep
UsrClass.dat \Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\ Url History / DaysToKeep

 Edge Typed URLs
UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\ MicrosoftEdge\TypedURLs

 Edge Typed URLs Time
UsrClass.dat \ Local Settings\Software\Microsoft\ Windows\CurrentVersion\App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime

 Edge Typed URLs Visit Count
UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount

 EFS Attribute in File Explorer Green Color
NTUSER.DAT\Software\Microsoft\ Windows\ CurrentVersion\Explorer\ Advanced

 Favorites
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\

 File Access Windows Apps
UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppModel\SystemAppData\\PersistedStorage ItemTable\ManagedByApp

 History - Days to Keep
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History /DaysToKeep

 History days to keep
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\Url History /DaysToKeep

 Identity
settings.dat\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\

 Identity Live Account
NTUSER\SOFTWARE\Microsoft\15.0\Common\Identity\Identities\

 IE/Edge Auto Passwd
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

 If hidden from timeline view, key is present
HKCU\Software\Microsoft\Windows\CurrentVersion\ActivityDataModel\ActivityAccountFilter\

 Links a ConnectedDevicePlatform PlatformDeviceId to the name, type, etc of the device
HKCU\Software\Microsoft\Windows\CurrentVersion\TaskFlow\DeviceCache

 Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Identities\_LiveId

 Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\IdentityCRL\UserExtendedProperties\/ cid

 Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\AuthCookies\Live\Default\CAW / Id

 Office Word OneDrive Synch Roaming Identities
NTUSER.DAT\Software\Microsoft\ Office\\Common\Roaming\ Identities\Settings\1133\\ ListItems\\

 OneDrive App Info
NTUSER.DAT\SOFTWARE\Microsoft\ OneDrive

 OneDrive User ID and Login URL
NTUSER.DAT\SOFTWARE\Microsoft\ AuthCookies\Live\Default\CAW

 OneDrive User ID Associated with User
NTUSER.DAT\SOFTWARE\Microsoft\ IdentityCRL\UserExtendedProperties\/ cid

 OneDrive User ID, Live ID
NTUSER.DAT\SOFTWARE\Microsoft\ Office\\Common\Identity\Identities\_LiveId

 OneNote User Information
Settings.dat\LocalState\ HKEY_CURRENT_USER\Software\ Microsoft\Office\16.0\Common\ Identity\Identities\_LiveId

 Password Face Enabled
SOFTWARE\Software\Microsoft\ Windows\CurrentVersion\ Authentication\LogonUI\FaceLogon\

 Photos App Associated User
Settings.dat\LocalState\OD\

 Place MRU
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\User MRU\LiveId#>\Place MRU

 Reading Locations
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Reading Locations

 Recent Docs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.&input=

 RecentApps
NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps

 RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

 RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso

 RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vhd

 RecentDocs for .jpg
NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg

 RecentDocs for .jpg
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg&ls=0&b=0

 Recycle Bin Info
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\

 Regedit Last Key Saved
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

 Register.com search
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts / .com

 Roaming Identities (1125 PowerPoint, 1133 Word, 1141 Excel)
NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Roaming\Identities\\

 Run subkey - Active
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run / OneDrive

 Shared data to: e-mail
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

 Shared Photos
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

 Shared photos
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

 Sharing MFU
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ SharingMFU

 Shell Bags
NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop

 Skype App Install
HKEY_CLASSES_ROOT\ActivatableClasses\Package\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c

 Skype Assoc. Files 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-skype

 Skype Assoc. Files 2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.skype

 Skype Assoc. Files 3
HKEY_CURRENT_USER\SOFTWARE\Classes\.skype

 Skype Assoc. Files 4
HKEY_CLASSES_ROOT\.skype

 Skype Install Path
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone

 Skype Installation
HKEY_CLASSES_ROOT\AppX(RandomValue)

 Skype Language
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\UI\General

 Skype Process Name
HKEY_LOCAL_MACHINE\SOFTWARE\IM Providers\Skype

 Skype Update App ID
HKEY_CLASSES_ROOT\AppID\{27E6D007-EE3B-4FF7-8AE8-28EF0739124C}

 Skype User List
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\Users\

 Skype Version 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\(UID)\(UID)

 Skype Version 2
HKEY_CLASSES_ROOT\Installer\Products\74A569CF9384AC046B81814F680F246C

 TaskBar Application List
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband / FavoritesResolve

 Trusted Documents
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Documents\TrustRecords

 Trusted Locations
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Locations

 TypedURLs
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

 TypedURLs
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

 TypedURLs Hyperlink
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

 TypedURLsTime
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

 TypedURLsTime
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime

 TypedURLsVisitCount
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount


References:
Shavers, B. (2019, February 12). Window Registry. Retrieved from https://www.dfir.training/resources/downloads/windows-registry

Registry Hives - Windows applications. Retrieved from https://docs.microsoft.com/en-us/windows/desktop/SysInfo/registry-hives











Posted by at No comments:

Sunday, May 12, 2019

Processing an Image with Axiom Process




Create a new case


Going to use images from NIST's Computer Forensics Data Sets site:

Personal Computer (PC) – 'EnCase' Image

Download Linkspc.E01pc.E02pc.E03pc.E04 (total 7.28 GB compressed by EnCase) - hash
Imaging S/WEnCase Imager 7.10.00.103
Image FormatE01 (Expert Witness Compression Format) converted from VMDK
cfreds_2015_data_leakage_pc.E0172432916933F5A309A8C456B40C9601D1F8D2A4F
cfreds_2015_data_leakage_pc.E020CAF4261ED8432A8B3BAA019B1B28FDF96F79130
cfreds_2015_data_leakage_pc.E03BE836C891736C4C0C2253C6803399BF0F2A599BA
cfreds_2015_data_leakage_pc.E049159BFFD56097495F73FBBF967B75EB288B1E3DE


Using Powershell to retrieve the image files from the site to desktop:
run these two commands, 2nd one will need to be for each .E01 file
  • $client = new-object System.Net.WebClient
  •  $client.DownloadFile("https://www.cfreds.nist.gov/data_leakage_case/images/pc/cfreds_2015_data_leakage_pc.E01", C:\Users\bryan\Desktop\Data_Leakage_pc.E01")
*needs to be done for E01 - E04





Open Magnet's Axiom Process 

Filling in case details




































Selecting Evidence source.  In this case it is a Windows Computer image

































Load the evidence image file

Select the image option























Evidence Sources Added
Sources on the disk image from where artifacts are processed from. 

























































































Options for further processing.  Can choose to find keywords from artifact type.






































Select Analyze.  Magnet Examine will open and a percentage circle with time elapsed bar will count the process time


Currently processing progress percentage shown












































Next post will be showing the examination piece of this evidence image, once done processing.



Reference:
NIST.(2019). Data Leakage Case. Retrieved from https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html



























Posted by at No comments:

Wednesday, May 8, 2019

Zip it Good - CLI ZIP with Powershell

Compress-Archive with Powershell

Compress-Archive
        [-Path] <String[]>
        [-DestinationPath] <String>

Example

Compress-Archive -Path <Files to compress(comma seperated)> -DestinationPath Output.Zip


Files Intended to be zipped into one folder



The above command, "Compress-Archive -Path .\* -DestinationPath '.\CLIzip.ZIP", compresses all in the current folder and sends to zip folder 



















The zip folder was created






Expand-Archive with Powershell

Expand-Archive [-Path] <String> [[-DestinationPath] <String>]

Example

Expand-Archive -Path <Zippedfolder.Zip> -DestinationPath <Output Path>

Decompressing CLIzip.zip and using the -Force in case files are already there


Original files have been unzipped






























In conclusion, this may be a handy way to zip up files for sending or storage.  And/or noticing the Compress and Expand Archive powershell commands that are associated with zipping folders if seen in PS logs.  

Done via command line.


--Bryan











Posted by at No comments:

Tuesday, May 7, 2019

Recently Opened Files and Docs




FILE PATH for RECENT DOCS:

C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Recent

or at file explorer title bar (paste this): %AppData%\Microsoft\Windows\Recent

Opens a folder of shortcut files of recently opened files.


Including png,txt,pdfs, docx, and recent folders.
Right click on top column to add column


Can view date modified and date created








This location is present on Windows 7 up to Windows 10.
And for Windows XP it is at "\Documents and Settings\$USER$\Recent".


A possible place to check for forensic artifacts or for that document that you had open recently and were looking for.


--Bryan


Posted by at No comments:

Wednesday, May 1, 2019

AutoStart and the AutoRun tool

There are locations that can shed light on which software, tasks, or configurations are set to run every time a user logs in or when the Operating System boots up.

These locations are good for use to know for a few different reasons.
One being for personal settings.  Maybe we want a tool or task to run every time we start up a computer.  Perhaps for updates or logging information.

Secondly, the autostart locations can be used by potentially malicious programs to remain installed and/or run at start up.

Below are a list of locations that can be configured for autostart:

Autostart folder of the current user
  • shell:startup
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Autostart folder of all users
  • shell:common startup
  • %programdata%\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

REGISTRY
Run keys (individual user)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Run keys (machine, all users)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
  • HKLM\System\CurrentControlSet\Services
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • Other autostart keys
  • Active Setup has been designed to execute commands once per user during logon.
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
  • Undocumented autostart feature.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • Shell related autostart entries, e.g. items displayed when you right-click on files or folders.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
  • HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
  • HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
  • HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
  • HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
  • HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
  • HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
  • HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
  • HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
  • HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  • HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  • The following keys specify drivers that get loaded during startup.
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  • HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  • Misc Startup keys
  • HKLM\Software\Classes\Filter
  • HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  • HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  • HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  • HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  • KLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  • HKCU\Control Panel\Desktop\Scrnsave.exe
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

TASKS
  • C:\Windows\Tasks
  • C:\Windows\System32\Tasks
Files
The following files can be used to autostart programs on Windows start:
  • c:\autoexec.bat
  • c:\config.sys
  • c:\windows\winstart.bat
  • c:\windows\wininit.ini
  • c:\windows\dosstart.bat
  • c:\windows\system.ini
  • c:\windows\win.ini
  • c:\windows\system\autoexec.nt
  • c:\windows\system\config.nt



_________________________________________________________________________________

Autoruns for Windows


The Autoruns tool is part of the Sysinternals Suite by Mark Russinovich, CTO of Microsoft and software engineer.  This tool is great for a one stop check of all the above mentioned autostart locations.

It will show what programs are configured to run during system bootup or login.  The tool also looks at software as being signed or unsigned third party.

Autoruns GUI


There is "badthing.exe" in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" and it is unsigned with no publisher.




In conclusion, knowing the autostart locations or where to reference them is valuable to answer what starts up at boot and login time.  For assistance there is the autoruns tool that I recommend be brought along with the system internals suite.



--Bryan









Posted by at No comments:
Subscribe to: Comments (Atom)