1.Timezone
The system time zone plays a crucial role in forensic investigations as it provides valuable insights into the timing of various activities on a Windows system. In the Windows Registry, specifically within the SYSTEM hive, the time zone information is stored under the key
Location: System Hive
SYSTEM\CurrentControlSet\Control\TimeZoneInformation.
You can use cmd as well.
Reg Query HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
From command prompt: (To save artifact and take home and use registry explorer fir further analysis)
Reg Save HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation C:\Users\User\Downloads\output.hiv
Registry explorer: Output
Interpretation:
• Time activity is incredibly useful for correlation of activity.
• Internal log files and date/timestamps will be based on the system time zone information.
• You might have other network devices and you will need to correlate information to the time zone information collected here.
-----------------------------------------------------------------------------------------------------------
2. Browser Search Terms
I have already provided all details regarding Browser collecting artifact.
Blog Headline :-Artifact for File download : you can visit the below link to learn about collection
Blog Link:- https://www.cyberengage.org/post/artifacts-for-file-download-part-2-firefox-internet-explorer-chrome
-------------------------------------------------------------------------------------------------------------
3.Network History
In the Windows Registry, valuable information about networks that a computer has been connected to can be found. This data is critical for forensic investigations as it provides insights into the computer's network activity, including wired and wireless connections, domain or intranet names, SSID details, and even gateway MAC addresses.
Location:
The network history information is stored within the SOFTWARE hive of the Windows Registry. The relevant registry keys include:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Managed
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache
You can use command prompt as well.
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache"
From command prompt: Save artifact Manually
Reg Save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures"
C:\Users\User\Downloads\output.hiv
Reg Save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache"
C:\Users\User\Downloads\output.hiv
Registry explorer can be used to Investigate: Output
Interpretation:
• Identifying intranets and networks that a computer has connected to is incredibly important.
• Not only can you tell the intranet name, but you can also tell the last time the network was
connected to based on the last write time of the key.
• This will also list any networks that have been connected to via a VPN.
• MAC address of SSID for Gateway could be physically triangulated.
-------------------------------------------------------------------------------------------------------------
4. Cookies
I have already provided all details regarding Browser collecting artifact. While collecting browser artifact you can collect cookies as well.
Blog Headline :-Artifact for File download : you can visit the below link to learn about collection
Blog Link:- https://www.cyberengage.org/post/artifacts-for-file-download-part-2-firefox-internet-explorer-chrome
------------------------------------------------------------------------------------------------------------
Comments