1. Identify the Microsoft version:
An investigator will receive a disk image and have no idea what the specific Windows operating system version is for it. The Windows OS version is critical to ensuring you are accurately finding and utilizing the correct artifacts during your analysis. Directory paths, types of artifacts, and even default programs change based on the version and service pack of the Windows OS.
Software Hive:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Through cmd:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
2. Identify current control set:
A control set in the Windows Registry contains system configuration settings needed to control system boot, including driver and service information. Typically, there are two ControlSets:
ControlSet001 and ControlSet002.
ControlSet001 represents the configuration used in the last successful boot, while ControlSet002 serves as a backup that can be used to recover from boot issues.
System hive:
SYSTEM\Select
Command:
reg query "HKLM\System\Select"
The Select key contains a REG_DWORD value named "Current," which indicates the number for the ControlSet that is currently active. By examining this value, you can identify which ControlSet is the "current" one.
For example, if the Current value is set to 0x01 or "1," then ControlSet001 is the registry path that is currently set to the "CurrentControlSet" and should be examined in-depth.
Additionally, the "LastKnownGood" key in the Select key indicates which ControlSet is the snapshot of the last successful boot. If the "LastKnownGood" key is set to 0x01 or "1," it means that ControlSet001 represents the snapshot taken during the last successful boot.
3. Computer name:
The computer name is useful mainly for logging purposes and verification, but it should not go unnoticed.
SYSTEM hive:
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Cmd:
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName"
4. Time zone information:
Registry Timestamps and Time Zones: While most registry timestamps and last write times are recorded in Coordinated Universal Time (UTC), the overall system time, including file system timestamps on FAT file systems, may be associated with the local time zone set in the control panel applet.
2. Changing Time Zone: Users can easily change the time zone settings on their machines. This action updates the last write time of the relevant registry key that stores the time zone information.
3. Recommendation to Use UTC: To maintain consistency and accuracy in forensic analysis, it's highly recommended to set the local analysis machine time to UTC. This helps avoid unintentional biases introduced by forensic tools and minimizes the risk of misinterpreting time-related data.
4. Formulas for Time Conversion:
• UTC: UTC = Local Time + ActiveTimeBias
• Local Time: Local Time = UTC - ActiveTimeBias
• Standard Time: Standard Time = Bias + StandardBias
• Daylight Time: Daylight Time = Bias + DaylightBias
Time activity is incredibly useful for correlation of activity
• Internal log files and date/timestamps will be based off the system time zone
information
• You might have other network devices and you will need to correlate
information to the time zone information collected here.
System hive:
SYSTEM\CurrentControlSet\Control\TimeZoneinformation
Cmd:
reg query HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneinformation
Will continue further in next blog.......
Akash Patel
Comentários