Search Results

In our previous exploration of email headers, we delved into some of the most common and widely recognized fields like Message-ID and Received. However, the email header is a multifaceted entity, rich with additional fields that can offer further insights into the email's journey and integrity. X-Originating-IP (Removed in Many webmail because of security concerns) Purpose: Identifies: This optional tag reveals the IP address of the computer from which the original email was sent. Authentication & Integrity: Potential Forging: While this field can be spoofed, it requires control over the originating Mail Transfer Agent (MTA). Backup Information: If this field is missing, the "Received" field might still contain endpoint originating information, providing a fallback for tracing the source. X-Forwarded-For Purpose: Forwarding Indication: Indicates that the email was forwarded from another source, possibly through load-balancing or proxy servers. Authentication & Integrity: Source Identification: Can help identify the infrastructure or route taken by the email before reaching its final destination. X-BarracudaApparent-Source-IP Purpose: Device-Specific Tag: Unique to Barracuda devices, this optional tag provides the apparent source IP address. Authentication & Integrity: Device Origin: Helps identify if the email passed through a Barracuda device, potentially revealing security filtering or processing. Authentication & Integrity Across Fields Spoofing Risks: Many of these fields, including X-Originating-IP and X-Forwarded-For, can be spoofed, but doing so requires a level of control over the MTA or specific devices in the email's path. Validation: While these fields can be valuable, validation is crucial. Cross-referencing with other headers, using forensic tools, and understanding the typical behavior of MTAs and devices can help verify the authenticity of these fields. Conclusion While the landscape of email headers is vast and ever-evolving, these additional fields provide a deeper layer of insight for digital forensic professionals. While there are challenges like spoofing and the need for meticulous validation, the richness of information embedded in these headers offers invaluable opportunities for tracing, validation, and enhanced forensic analysis.

Dear readers and followers, I hope this message finds you well. I wanted to take a moment to share an important update regarding our blog. Due to some unforeseen circumstances, I was not able to publish new blog posts from April 5th. Please rest assured that this pause is temporary. I am actively working to resolve the issues at hand and will be back as soon as possible with fresh and engaging topics for you to enjoy. I understand that you might be looking forward to our regular updates, and I sincerely apologize for any inconvenience this may cause. Your patience and understanding during this time are greatly appreciated. In the meantime, I encourage you to explore our archive of past blog posts. There's a wealth of information, tips, and insights waiting for you there. Thank you once again for your continued support and understanding. I look forward to reconnecting with you all very soon with new and exciting content. Stay tuned, and take care! Akash Patel

Introduction: Solid-state drives (SSDs) have revolutionized data storage with their speed, reliability, and lack of moving parts. However, their unique characteristics pose challenges for forensic investigators and analysts. Understanding SSDs: SSDs utilize non-volatile flash memory for data storage, providing faster access times and improved reliability compared to traditional hard drives. (Non-volatility allows flash SSDs to retain memory during a sudden power loss.) Limited Writes and NAND(non-volatile storage) Flash Quality: SSD reliability is directly affected by the number of writes to the NAND(non-volatile storage) flash memory. Frequent writes can lead to data corruption and reduce the lifespan of the drive. Consumer-grade SSDs often use lower quality NAND(non-volatile storage) flash, making them more susceptible to wear and tear from repeated writes. Wear Leveling: Wear leveling is a technique used to distribute write and erase cycles evenly across the SSD's memory cells. When data is modified, it is moved to a new location, and the original location is marked for erasure. This helps prevent certain memory cells from wearing out faster than others. Drive Trimming or Trim: Trim is a feature that improves SSD performance and lifespan by informing the drive which data blocks are no longer in use, allowing the SSD to reclaim them. Effects on Forensic Analysis: Wear leveling can affect forensic analysis by altering the physical location of data on the SSD, making it challenging to recover specific sectors or data remnants such as file slack. Trim operations can also impact forensic investigations by eliminating data remnants and reducing the effectiveness of traditional techniques like file carving. Prefetch and ReadyBoost: Prefetch and ReadyBoost, which are designed to improve system performance by caching frequently accessed data, may be disabled or enabled depending on the SSD configuration. Microsoft has started enabling prefetch and ReadyBoost by default on SSDs due to their improved performance, which may affect forensic analysis and investigation techniques. Acquisition of Data from SSDs: Acquiring data from SSDs requires careful consideration of power loss concerns and data collection methods: Power Loss Concerns: Cutting power to a running SSD can lead to serious problems, potentially causing data modifications during recovery processes. Traditional shutdown processes can also trigger drive optimization activities, affecting data integrity. 2. Impact on Data Collection: Cutting power to an SSD may not be the best option for ensuring proper data collection. The repair operations initiated by the SSD during power loss recovery can involve tasks such as trimming operations and wear leveling, which can affect the integrity of the data. Simply powering off the system using a normal shutdown process can also trigger drive optimization activities, further complicating data collection. 3. Live Acquisition Considerations: Some experts suggest that live imaging of the system might be the best approach for acquiring data from SSDs. Leaving the SSD running for extended periods, even in a powered-down state, can potentially corrupt the data. Live acquisition, similar to imaging memory, may offer better control over the data and reduce the risk of unintended modifications by the SSD. 4. Recommended Recovery Procedures: In case of a drive failure due to power loss, it is recommended to follow specific recovery guidelines provided by manufacturers like Crucial. The recovery process involves completing a power cycle, which may take approximately one hour. This procedure is typically performed on a laptop or desktop computer by connecting the SSD to the SATA power connector and following specific steps to power cycle the drive. Once you have the drive connected and sitting idle, simply power on the computer and wait for 20 minutes. We recommend that you don't use the computer during this process. Power the computer down and disconnect the drive from the power connector for 3 0 seconds. Reconnect the drive, and repeat steps 1 and 2 one more time. Reconnect the drive normally, and boot the computer to your operating system. If the latest firmware has not been updated to your drive, do so. 5. Write Blocking and Analysis: While write blocking drives using standard write blockers can prevent accidental writes from the connected operating system, the SSD's controller may still perform wear leveling and trimming operations when powered on. Using a write blocker for imaging purposes is recommended to preserve drive integrity, but prolonged analysis on an SSD connected via a write blocker may increase the risk of controller-initiated drive management operations, potentially compromising data integrity. Will disk defragmentation be disabled by default on SSDs? Answer: Yes, disk defragmentation is disabled by default on SSDs. This is because SSDs do not benefit from defragmentation like traditional mechanical hard drives. In fact, defragmentation can cause unnecessary wear and tear on SSDs without providing any performance improvements. Will SuperFetch be disabled on SSDs? Answer: It depends. While newer versions of Windows, such as Windows 8 and Windows 10, typically keep SuperFetch enabled on SSDs, older Windows 7 systems may disable SuperFetch if an SSD drive is detected. SuperFetch can improve system performance by preloading frequently used applications into memory, but on SSDs, it may not be as necessary due to the faster read/write speeds. Does the Windows Search Indexer operate differently on SSDs? Answer: No, the Windows Search Indexer operates the same way on SSDs as it does on traditional hard drives. The Search Indexer creates and maintains a database of file and folder information to enable quick file searches. While SSDs may have faster access times, the functionality of the Search Indexer remains unchanged. What should you do if the hash does not match on the first attempt to image an SSD? Answer: If the hash does not match on the first attempt to image an SSD, it's recommended to keep the original image and reimage the drive again. The most likely reason for the hash mismatch is due to wear leveling or trim operations occurring after the initial hash was generated. By comparing the original and subsequent images, you can identify any differences caused by wear leveling or trim, such as deleted files or changes in unallocated space. This comparison can help mitigate concerns over unmatched hashes when presenting evidence in legal proceedings. Conclusion: Solid-state drives offer numerous benefits, but their unique characteristics present challenges for forensic investigators. By understanding the behavior of SSDs, implementing proper acquisition techniques, and adhering to best practices, forensic analysts can effectively acquire and analyze data from SSDs while maintaining data integrity and reliability. Akash Patel

In today's digital age, forensic investigators face the challenge of extracting valuable evidence from various storage devices, including solid-state drives (SSDs). With techniques like datastream carving, file carving, and parsing metadata, investigators can uncover crucial information for legal proceedings and investigations. Datastream Carving vs. File Carving: 1. Datastream Carving: Involves extracting small fragments of data from larger files. Useful for recovering valuable information, such as URLs and timestamps, from partially deleted files. Tools like Magnet Forensics' Internet Evidence Finder (IEF) facilitate the process by scanning for fragments and full files across storage devices. 2. File Carving: Focuses on recovering intact files from memory or unallocated space. Scans for known file headers and carves out files based on predicted lengths or known footers. Effective for recovering specific types of deleted files but may yield numerous false positives. Parsing Metadata in Files: Metadata embedded within files provides insights into their creation, modification, and history. Microsoft Office documents and picture files contain metadata such as author information, creation time, GPS Coordination, and camera details. Example : For Microsoft Office documents, metadata may include details such as author information, creation time, last print time, and even the version of Microsoft Office used to create the document. This information can help establish the origin and authenticity of the document, which is especially important in cases involving stolen or altered documents. Similarly, picture files contain metadata, which includes information about how the picture was taken. This data typically includes the original picture creation date, the type of camera used, and even GPS coordinates if the device has a built-in GPS. Tools like exiftool can parse metadata from files, uncovering valuable information for e-discovery cases and investigations. In e-discovery cases, requesting metadata can be crucial for building a comprehensive understanding of the evidence and ensuring a fair trial. Judges often grapple with the complexities of metadata requests, recognizing its potential to make or break a case. By leveraging tools like exiftool to parse metadata from files, investigators can uncover valuable information that may strengthen their legal arguments and provide clarity in complex litigation scenarios https://exiftool.org/ Recovering Deleted Files: Forensic analysis often involves recovering lost or deleted files from storage devices. Metadata layer extraction focuses on retrieving file properties, while unallocated space extraction scans for file headers and clusters. Tools like Photorec facilitate file recovery by scanning for file headers and attempting to reconstruct fragmented files. Using Photorec: Photorec is a versatile data recovery program that reads file headers and targets various media file types. It can recover files from hard drives or mounted drive images and has limited fragmentation handling capabilities. Photorec Sorter can help organize recovered files by extension for easier analysis. Output: Using Photorecsorter: Move the PhotoRec Sorter executable (PhotoRec_Sorter.exe) to the directory containing the "recup_dir" folders generated by PhotoRec. Execute PhotoRec_Sorter.exe from the same directory. Monitor the console output for any messages or errors during the sorting process. Once PhotoRec Sorter has finished execution, navigate through the "recup_dir" folders to ensure all files are properly sorted. Check for any files that may not have been sorted correctly and manually move them to the appropriate folders based on their file extensions. Conclusion: By leveraging techniques such as datastream carving, file carving, and metadata parsing, forensic investigators can extract valuable evidence from storage devices like SSDs. These techniques play a crucial role in e-discovery cases, legal proceedings, and criminal investigations, providing insights that can strengthen legal arguments and uncover hidden truths. Akash Patel

1. UserAssist Key Understanding the UserAssist Key: The UserAssist key, located within the NTUSER.DAT hive of the Windows registry, contains valuable information about GUI program executions initiated by users. This key stores details such as the last run time, run count, name of the GUI application, focus time, and focus count for each program launched in Windows Explorer. Analyzing UserAssist Data: Forensic analysts can leverage the UserAssist key to uncover important details about program executions, including Last Run Time (UTC): The timestamp indicating when a program was last executed by the user. Run Count: The number of times a program has been executed on the system. Name of GUI Application: The name or identifier of the GUI application launched by the user. Focus Time and Focus Count: Metrics indicating the total time an application has been in focus and the number of times it was re-focused in Windows Explorer. Understanding GUIDs and Execution Modes: Each application launch generates unique GUIDs within the UserAssist key, distinguishing between executable file executions and shortcut file executions. For example: GUIDs for Windows XP: GUIDs such as 5e6ab780 represent Internet Toolbar, 75048700_ signifies Active Desktop. GUIDs for Windows 7 and higher: GUIDs like CEBFF6CD denote executable file execution, F4E57C4B indicates shortcut file execution. Understanding GUIDs and Execution Modes: Each application launch generates unique GUIDs within the UserAssist key, distinguishing between executable file executions (CEBFF6CD) and shortcut file executions (F4E57C4B). By analyzing these GUIDs, forensic analysts can discern how users interact with applications, whether through direct executions or shortcut activations. 2. Shimcache (Application compability cache)/ Amcache Hive Shimcache Purpose • Checks to see if application needs to be "shimmed" (properties applied) to run application on current OS or via older OS parameters • AppCompatCache will track the executable file's last modification date, file path, and if it was executed • Advanced: Applications will be shimmed again (w/ additional entry) if the file content is updated or renamed. Good for proving application was moved, renamed, and even time stomped (If current File's Mod-time * ShimCache Mod-time) Amcache Purpose: •Application Experience Service •New AppCompat structure and full of additional information To understand in deep Kindly go through my previous blog link below... Blog Headline : Forensic Collection of Execution Evidence through AppCompatCache(Shimcache)/Amcache.hiv Blog Link: https://www.cyberengage.org/post/forensic-collection-of-execution-evidence-through-appcompatcache-shimcache--amcache-hiv Blog Headline: Shimcache/Amcache Analysis: Tool-->AppCompactCacheParser.exe/AmcacheParser.exe Blog Link: https://www.cyberengage.org/post/shimcache-amcache-analysis-tool-appcompactcacheparser-exe-amcacheparser-exe Blog Headline: Amcache.hiv Analysis: Tool--> Registry explorer Blog Link: https://www.cyberengage.org/post/amcache-hiv-analysis-tool-registry-explorer 3. BAM/DAM Record information about executed programs, including the path of the executable and the date/time of the last execution. The DAM is specifically found on systems with connected standby, a feature that allows Windows to remain powered on while the screen is turned off, similar to the standby mode on smartphones. The DAM helps manage desktop application access to extend battery life while ensuring that system processes can still function effectively. On the other hand, the BAM is associated with a kernel mode driver service that was introduced in Windows 10 version 1709. While there is limited official information available about the BAM, forensic analysts have observed similarities between the information recorded in BAM and DAM keys. Within these registry keys, you can find entries corresponding to various programs. Each entry will contain details such as the full path of the executable and the timestamp of the last execution. System Hive: (BAM/DAM) SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} SYSTEM\CurrentControlSet\Services\Dam\UserSettings\{SID} Akash Patel

9. System Boot autostart programs: NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Run NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion \Run Once Software Hive Software\Microsoft\ Windows\CurrentVersion\RunOnce Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Software\Microsoft\ Windows\CurrentVersion \Run System Hive: SYSTEM\CurrentControlSet\Services 0x0 (Hexadecimal) or 0 (Decimal): Boot start - The service starts during the system boot process. 0x1 (Hexadecimal) or 1 (Decimal): System start - The service starts during the system initialization. 0x2 (Hexadecimal) or 2 (Decimal): Automatic start - The service starts automatically when the system starts. 0x3 (Hexadecimal) or 3 (Decimal): Manual start - The service must be started manually by the user or another program. 0x4 (Hexadecimal) or 4 (Decimal): Disabled - The service is disabled and cannot be started. Key usefulness: Determine programs that will start automatically Useful to find malware on a machine that installs on boot such as a rootkit Look at when the time key was last updated, generally this would be the last boot time of the system 10. Shutdown information: Discover when the system was last shut down Discover how many successful times the system was shut down System hive: SYSTEM\CurrentContro1Set\Control\Windows (Shutdown Time) SYSTEM\CurrentContro1Set\Control\Watchdog\Display (Shutdown Count) CMD: reg query HKLM\SYSTEM\CurrentControlSet\Control\Windows Notice the shutdown time is in hex. This time is in Windows 64-bit time. Luckily, we can utilize Decode Date on your desktop, we can write the values and press decode. It will tell us the date that is stored at that location. Akash Patel

8. Network profile key: -First and last name connected: Windows XP: The Legacy of Wireless Zero Configuration In the Windows XP era, the Wireless Zero Configuration (WZC) service was the backbone of wireless network management. Deep within the registry at SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces{GUID} lies a goldmine of data. Here, the machine meticulously records its encounters with wireless access points, preserving SSIDs and timestamps of connection. These SSIDs, akin to unique security identifiers, serve as digital footprints, revealing the machine's proximity to specific locations and networks. Windows 7-10: The Evolution of Network List Profiles The Network List Profiles, housed within below key and took center stage. Each subkey, adorned with a GUID, encapsulates network names and types, delineated by hexadecimal values. SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles Whether wireless (0x47) wired (0x06) broadband (0x17), each network type leaves its mark, illuminating the user's connectivity landscape. Decoding the Temporal Enigma: CreationTime and LastDateConnected The CreationTime and LastDateConnected timestamps, shrouded in 128-bit system time, hold the key to unraveling network chronicles. Utilizing the DCodeDate tool, these timestamps unveil the saga of network encounters, from the maiden connection to the latest rendezvous. CMD: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" 9. Shares and offline locations: System Hive SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\ CMD: reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\ Detecting Open Shares: A Critical Investigation The first step in examining file shares is detecting their presence on a machine. In many cases, users may inadvertently share their entire hard drive, unknowingly granting remote access to sensitive files. Identifying these open shares is crucial in understanding how files may have appeared on a workstation, thereby mitigating potential arguments regarding unauthorized access or file manipulation. Client-Side Caching (CSC): The Silent Culprit A covert method of file exfiltration lies in Windows Offline Files' client-side caching (CSC) feature. By enabling offline access to specific files, users can discreetly cache them on their system, allowing access regardless of network connectivity. This poses a significant challenge in detecting unauthorized file transfers, as cached files may go unnoticed by traditional monitoring methods. However, examining CSC Flags options can provide insights into how folders are cached, shedding light on potential file exfiltration attempts. Windows Offline Files caches files in the directory C: \Windows\ CSC. • CSCFlag = 0: Default option means that the user must specify which files he would like to be cached. • CSCFlag = 16: For automatic document caching, "All files and programs that users open from the shared folder are automatically available offline" with the "optimize for performance" unchecked. • CSCFlag = 32: For automatic program caching. Same as above, but with "Optimize for performance" checked. • CSCFlag = 48: Caching is disabled. • CSCFlag = 2048: Default Win7-l O setting until user disables the "Simple File Sharing" or uses the "advanced" sharing options. It is also the default setting for "Homegroup." Key Data Fields: Unraveling the Mystery Max Uses: Total number of connections to a single share. Set to 4294967295 at default, which is also the highest number you can get using 32 bits. Path: Local path Permissions: Apparently, the value can help us determine how a share was created. 0 is default meaning that GUI or PowerShell created the share. For Win7-10, if the value is 9, then it was created via advanced file sharing. If the value is 63, then a command line created the share. Type: Type of device or share accessed • 0 = Disk Drive or Folder • 1 = Printer • 2 = Device • 3 = IPC • 2147483648 = Admin (Disk, Printer, Device, or IPC) Will continue in next blog................... Akash Patel

5. NTFS last access time on/off The Misconception: One common misconception about last access timestamps is that they solely indicate the last time a file was opened or accessed by a user. However, this oversimplification overlooks the fact that these timestamps can be updated for reasons other than user interaction. For instance, a file may have its last access timestamp modified simply by being "touched" by the system, without any actual opening or viewing by a user. Variables Impacting Last Access Timestamps: Several variables can impact the accuracy and reliability of last access timestamps. One significant factor is the operating system's settings. For instance, Microsoft disabled updates to last access timestamps in Windows Vista and subsequent versions for NTFS file systems to enhance performance. However, it's crucial to note that this setting only affects NTFS file systems, while other file systems like ExFAT and FAT continue to update access timestamps normally. Granularity and Enabling Last Access Timestamps: Last access timestamps typically have a loose granularity, often accurate only to within one hour. Users can choose to enable last access timestamps if needed for applications that rely on them. However, enabling this feature may come with performance implications and should be considered carefully based on the specific forensic scenario. Importance in Forensic Analysis: Despite their limitations, They can help investigators determine when files were accessed by the system, shedding light on user activity and potential evidence trails. System Hive: SYSTEM\CurrentControlSet\Control\FileSystem Cmd : reg query HKLM\System\ CurrentControlSet\Control\Filesystem 6: Network interfaces: This key contains a plethora of invaluable details, including TCP/IP configurations, IP addresses, gateways, and DHCP-related information. For machines configured with DHCP, it reveals the assigned IP address, subnet mask, and DHCP server's IP address. Significance in Forensic Investigations: Network interface information plays a crucial role in cases involving network-based evidence. It provides investigators with essential insights into how a system was connected to a network—be it wired, wireless, 3G, or Bluetooth. Moreover, the interface GUID serves as a valuable identifier for correlating additional network profile data stored in registry keys, enhancing the depth of investigation. Exploring Historical IP Information: On Windows 7 through Windows 10 systems, multiple subkeys under each interface provide historical IP information. These records, stemming from DHCP assignments, offer insights into previous IP address assignments. While not exhaustive, they contribute valuable context to investigative analyses. The last connected IP for each interface is particularly noteworthy, as it relates to the parent GUID key. System Hive: SYSTEM\CurrentContro1Set\Services\Tcpip\Parameters\Interfaces Cmd: reg query HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces usefulness • Lists network interfaces of the machine • Can determine whether machine has a static IP address or whether it is configured by DHCP • Ties machine to network activity that was logged • Obtain interface GUID for additional profiling in network connections 7. Historical network-network list keys: Understanding NLA Functionality: NLA operates by aggregating network information for each network interface a PC is connected to and generating a globally unique identifier (GUID) for each network. These identifiers, known as network profiles, facilitate the application of appropriate firewall rules based on the network's characteristics. For instance, different firewall profiles may be applied for public, home, or managed networks, allowing for tailored security configurations Forensic Significance of NLA: From a forensic standpoint, NLA presents a wealth of valuable information. By accessing NLA records, investigators can obtain a list of all networks a machine has ever connected to, identified by their DNS suffixes. This capability is instrumental in identifying intranets and external networks, offering crucial context for investigative analysis. Geo-Location Insights: One of the most compelling aspects of NLA for forensic investigators is its potential to provide geo-location insights. By examining the networks a device has connected to and the associated timestamps, investigators can infer the geographical locations where the device has been used. This information can be pivotal in reconstructing timelines, establishing alibis, or corroborating witness statements in digital investigations Registry Details: NLA-related information is primarily stored in the Windows Registry under specific locations: HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\ Unmanaged SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\Managed Historical data, including connection times, can be found under the Cache key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache Utilizing ProfileGuid: One challenge in NLA analysis is determining the first and last time a network was connected to. Investigators can overcome this obstacle by leveraging the ProfileGuid, a unique identifier associated with each network, and mapping it to connection times stored in the Registry. Write down profile GUID Usefulness • Identifying intranets and networks that a computer has connected to is incredibly important • First and last time a network connection was made • This will also list any networks that have been connected to via a VPN • MAC Address of SSID for Gateway could be physically triangulated Will Continue on next post................ Akash Patel

1. Identify the Microsoft version: An investigator will receive a disk image and have no idea what the specific Windows operating system version is for it. The Windows OS version is critical to ensuring you are accurately finding and utilizing the correct artifacts during your analysis. Directory paths, types of artifacts, and even default programs change based on the version and service pack of the Windows OS. Software Hive: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Through cmd: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" 2. Identify current control set: A control set in the Windows Registry contains system configuration settings needed to control system boot, including driver and service information. Typically, there are two ControlSets: ControlSet001 and ControlSet002. ControlSet001 represents the configuration used in the last successful boot, while ControlSet002 serves as a backup that can be used to recover from boot issues. System hive: SYSTEM\Select Command: reg query "HKLM\System\Select" The Select key contains a REG_DWORD value named "Current," which indicates the number for the ControlSet that is currently active. By examining this value, you can identify which ControlSet is the "current" one. For example, if the Current value is set to 0x01 or "1," then ControlSet001 is the registry path that is currently set to the "CurrentControlSet" and should be examined in-depth. Additionally, the "LastKnownGood" key in the Select key indicates which ControlSet is the snapshot of the last successful boot. If the "LastKnownGood" key is set to 0x01 or "1," it means that ControlSet001 represents the snapshot taken during the last successful boot. 3. Computer name: The computer name is useful mainly for logging purposes and verification, but it should not go unnoticed. SYSTEM hive: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName Cmd: reg query "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" 4. Time zone information: Registry Timestamps and Time Zones: While most registry timestamps and last write times are recorded in Coordinated Universal Time (UTC), the overall system time, including file system timestamps on FAT file systems, may be associated with the local time zone set in the control panel applet. 2. Changing Time Zone: Users can easily change the time zone settings on their machines. This action updates the last write time of the relevant registry key that stores the time zone information. 3. Recommendation to Use UTC: To maintain consistency and accuracy in forensic analysis, it's highly recommended to set the local analysis machine time to UTC. This helps avoid unintentional biases introduced by forensic tools and minimizes the risk of misinterpreting time-related data. 4. Formulas for Time Conversion: • UTC: UTC = Local Time + ActiveTimeBias • Local Time: Local Time = UTC - ActiveTimeBias • Standard Time: Standard Time = Bias + StandardBias • Daylight Time: Daylight Time = Bias + DaylightBias Time activity is incredibly useful for correlation of activity • Internal log files and date/timestamps will be based off the system time zone information • You might have other network devices and you will need to correlate information to the time zone information collected here. System hive: SYSTEM\CurrentControlSet\Control\TimeZoneinformation Cmd: reg query HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneinformation Will continue further in next blog....... Akash Patel

1. MRU Lists (Most recent used lists) NTUSER.DAT for particular user (If we use Registry explorer in my case c:\users\user\ntuser.dat) Look For Last Visited MRU as well as Recent docs(Highlighted into screenshot) Each MRU list maintains the order of the most recent additions to a registry key. This order can provide valuable insights into user activity. MRU lists help investigators understand the sequence of data populating a specific key. The last write time of a key indicates the time when the first entry in the MRU list occurred. For example, the last write time of the Microsoft Office .docx file might correspond to the time when the file was last opened. The subsequent values in the MRU list indicate the order of recent activity, typically sorted from most recent to oldest. 2. Run Registry: Online  -via regedit HKCU\Software\Microsoft\Windows\CurrentVersion\Run Offline- Via registry explorer NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run 3. Deleted registry key values: Privacy cleaner's leftovers can easily be viewed using Registry Explorer. Notice the deleted keys and that each of the sub keys are still visible. In every case, the original data could be recovered. 4. Collecting user information: SAM profiling user/groups (i) Username (ii) RID (iii) User login information -Last login -last failed login -login count -password policy -account creation time (iv) Group information -Administrator -users -remote desktop users When examining the SAM hive in Registry Explorer, we can easily locate the Relative Identifier (RID) associated with a user account(In my case User ID is RID) , as well as other pertinent details. For example, we can identify the RID for a user like Guest os 501, which helps us track his activities on the system. Additionally, Registry Explorer provides insight into important timestamps, including the last login time and the time of the last password change. Akash Patel

The Windows operating system caches writes to the registry in two locations. The first is in memory. The second is on disk in the transaction log file. The transaction log is named after the ntuser.dat.LOG 1 and ntuserdat.LOG2 located in the same folder as the registry hive file. **Starting with Windows 8, Microsoft changed the way that windows permanently write to the hive files. The transaction log files are used to cache writes to the registry before they are permanently written to the hive. A significant change occurred in Windows 8.1 and above that might leave the most recent activity that occurred in the past hour inside the transaction log file and will be missing from the registry hive file unless the transaction log files are parsed when you open the registry hive file. Starting with Windows 8 and above, temporary data is written to the transaction log files and continually appends the log files. It does not permanently write to the core hive file immediately but will do so when the system is being unused, shutdown, or when an hour has occurred since the last write to the primary hive file. This has resulted in much less disk writes over time and apparently has improved performance of the operating system by reducing the continual writes to the registry hives. It means that most recent changes to the registry are likely located in the transaction log files and not found in the hive files you might be examining. Most registry forensic tools do not perform this check or alert you to this issue. This is especially interesting if you are trying to track the recent user or process interactions inside the Windows operating system. Many forensic tools do not take into account the data stored in the transaction log files and especially. Akash Patel

Windows Registry Overview: The Windows registry is a crucial database storing system, software, hardware, and user configuration data. Root Keys: It comprises four main root keys: HKEY_CLASSES_ROOT HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS. Offline Access: Registry files are typically located in %WINDIR%\system32\config, with hives like DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM. Hives and Contents: Each hive contains specific information: SYSTEM Hive: HKLM Hardware and service configurations. It will also list the majority of the raw device names for volumes and drives on the system including USB keys SOFTWARE Hive: Application settings and configurations. NTUSER.DAT Hive: User-specific configuration and environment settings as well as which includes a slew of identifiable data pertaining to user activity. SAM Hive: Local user accounts and groups. SECURITY Hive: Security information like password policies and group membership. AMCACHE.HVE : Introduced in Windows 8, it tracks application compatibility and execution evidence, aiding in running older executables. Backup hives: RegIdleBackup task runs every 10 days on Vista, Win7, Win8, Win10, Server 2008, Server 2012, and Server 2016. It copies SAM, DEFAULT, SYSTEM, SOFTWARE, and SECURITY hives to %WinDir%\System32\Config\RegBack directory. This backup might contain residue that was cleared from the current hives. The task does not backup the local NTUSER.dat hives of users. Note :- Windows automatically creates backup copies of its registry hives periodically and stores them in the %SystemRoot%\System32\config\RegBack directory. However, this folder might be empty or not contain the most recent backups depending on system settings. User registry Hives The Windows registry holds a wealth of user-specific information, offering insights into various aspects of user activity on the system. It serves as a repository for recent actions performed by users, including accessed files, searched items, typed URLs, executed commands, and saved documents. One of the primary components of the registry is the NTUSER.dat hive : which contains keys specific to each user profile Located under HKEY_CURRENT_USER, the NTUSER.dat hive offers a comprehensive view of user-centric actions within the system. UsrClass.dat. hive : This hive, typically located at C:\Users\AppData\Local\Microsoft\Windows\UsrClass.dat, holds crucial information related to program execution and folder manipulation. It plays a vital role in the virtualized registry root for User Account Control (UAC), facilitating seamless user interactions with the system. Despite its virtualized nature, UsrClass.dat offers valuable clues about user activities, helping forensic analysts reconstruct user behavior patterns. Tip:- One notable aspect of UsrClass.dat is its association with ShellBags, a registry key that tracks the opening and closing of files and folders by programs. By examining ShellBags entries, investigators can uncover evidence of file and folder interactions, shedding light on user activities and application usage patterns. With registry explorer things became easy to analyze (By Eric Zimmerman) Registry key last write time using registry explorer 1. The registry tracks the last write time for every key on the system. 2. This timestamp, stored within the registry itself, indicates the last update of any key value and is typically displayed in Coordinated Universal Time (UTC). 3. The last write time is crucial for forensic investigations as it provides the timing of specific activities or events within the registry. 4. By correlating the last write time with other system data, such as user login times or file copy events, investigators can build a comprehensive timeline of user actions. 5. It's important to note that the last write time is updated whenever a value is added or updated within a key, and different keys may be updated at different points depending on the program's behavior. 6. Ensuring a clear understanding of whether timestamps are recorded in UTC or the local time zone is essential for accurate interpretation of forensic data. Failure to account for time zone discrepancies could lead to misinterpretation of critical evidence, potentially compromising the integrity of the investigation Will Continue in next blog............................. Akash Patel