hello everyone I recently created an introduction to memory forensics video and in that video I promise to follow up video that explains some basic Windows forensic analysis techniques and showed some basic Windows artifacts that we commonly look for so this is that video on your screen you'll actually see a differed I created differ by the way is digital forensics and incident response if you're not familiar with the term this cheat sheet actually has a very small subset of the information covered in the sans FR 500 formally fo r 408 windows forensic analysis class that class will actually prepare you to sit for the GX certified forensic examiner G CFP certification I know a lot of people will skip it and go directly to fo r 508 which prepares you to take the GX certified forensic analyst GCF a certification test but honestly you are doing yourself a disservice if you don't already know this information in fact when you take 508 it is assumed that you are familiar with a good bit of this information already and certainly to win the final challenge in that class and really to succeed as a forensic investigator if your forensic ating windows boxes you need to know this material so again this cheat sheet has a very small subset of the forensic artifacts that are available to us on a Windows box in case you didn't realize it your operating system is spying on you there are a ton of things in Windows that provide a wealth of forensic information to investigators but the interesting thing to note is that these things were not put there by Microsoft for that purpose they all serve some other purpose for example perhaps there are things that help programs launch more quickly or things that ensure backwards compatibility when you're running a legacy piece of software on a newer operating system or things that improve the user experience whatever the case may be Microsoft has not provided this information for forensic investigators the other thing to realize is that these things can change they often change in fact when service packs come out or now I guess it's more of a rolling release model with Windows 10 redstone 1 and redstone 2 and so on and so forth there is no guarantee that a forensic artifact is going to remain across operating system release now luckily most of the things on this particular cheat sheet still remain and they are usually found in anything from Windows Vista and above so what I'm going to do is actually go through and first of all talk about the registry itself and how its laid out on a Windows System and then we're going to look at some demos in different sections of these particular artifacts I'm not going to show every single one of them because the video would be hours long and take forever and you might fall asleep or lose interest so let's just hit the highlights of some of the most common ones but before we do that you'll notice that we've got HK Cu and hklm that are commonly referenced here that's H key current user and H key local machine so let's figure out what that means and what the registry is and where it's located and all that good stuff first basically the Windows registry is a giant database that comprises a huge amount of information that the operating system uses to function it basically stores information about programs and settings for programs in just all kinds of information that is vital to make the operating system work the registry itself on disk is actually found in windows system32 config so if you're looking at a live system first off it's important to know that the operating system protects all of these these files within this path so you can't edit or open or copy or do anything with these on a live system unless you use ftk imager or something to get out of them but otherwise the operating system is going to going to protect them but if you look here we've got default Sam security software and system these are the most common registry pies the most important registry hives that we grab only for indicate a Windows system in fact automatic backups are taken and stored and reg back and you'll notice right here default Sam security software system the same ones I just mentioned so when we grab an information from a Windows system will almost certainly grab the registry hives out of config and also the ones out of wrench back a reg vac will be important because let's say someone attempts to perform anti forensics on us and delete things out of the registry purge things out of the registry even if they do it correctly if you delete something out of the registry normally it's pretty easily recoverable but if you compact the database or do other anti forensic techniques to make that not possible it's possible that you forgot to purge the backups in reg pack so we'll often grab them as well so defaults am security software system and also if we look at the user profiles every user profile has an empty user data file you don't see it in the GUI here because I'm not showing system files or hidden files but if we drop to the command prompt and I from dro /a h you'll actually notice here into user dot that now into user dot actually plugs into the registry as h k CU h hkey current user when you're browsing a live registry on a live system so every user has an into user dot which is kind of like that users chunk of registry related information so certainly we'll want to grab into user data if nothing else from the profiles were interested in analyzing but usually across-the-board will grab all deities or type data files from all the profiles there's also another one called user class us our class that we'll talk about that a little bit later but that's also a registry hi that is user specific that plugs into a specific registry location if we run regedit on this live system if we look over here HT current user is again into user dad so for my particular user on this live system HT current user is actually being read from into user data so the terms are somewhat interchangeable though usually when we speak of H hkey current user we're talking about the analysis of a live system and when we when we talk about into user dot we're talking about you know parsing a file on a dead system if we expand hklm you'll actually see those other hi as I mentioned for example Sam security software and system which plug in to those files that I just showed you on the file system now hardware and some other registry paths that you see here are actually generated on system boot they are not stored on disk they're dynamically generated based upon the hardware in the system and the drivers loaded etc so you actually won't fine for example a hardware hive on disk so that kind of provide you with some very basic information about how the registry is laid out if we go back over to the cheat sheet here the first path that you'll see is current user software microsoft windows currentversion explorer now what I'm going to do is on this very system actually grabbed a copy of the registry hives which are right here the ones I just mentioned including into user data will actually use one of many pieces of software to analyze this offline in this case I'll use registry explorer that's a free piece of software as of this recording version zero nine zero zero is the newest there are plenty of other tools from access data and other companies that you can use to explore the registry but this particular tool will be fine for our purposes so let's go ahead and go to file and load offline hive and we'll look at em on the desktop and we'll look at into user guide now first off earlier I mentioned that when you delete something out of the registry unless you perform additional anti forensics it is very likely that that data can be recovered those keys and values can be recovered and in fact if you look here you'll actually see some deleted records we're not going to worry about that for now but we're just going to expand route and we're going to go ahead and go down to software and Microsoft and scroll on down to Windows and current version and we will look for Explorer so if you look down at the bottom software microsoft windows currentversion explorer which is the root of world is those first pieces of artifact information are located now let's take a look at each of these com dlg 32 or common dialogue 32 is kind of interesting within it last visited alcoholic piddle PID l m ru and open safe pit alarm are you can be found if you ever noticed that when you launch let's say a word processor and you open a file from a specific location or save a file to a specific location and then maybe a few days later you go back to your word processor and go to file and open the last path that you were browsing is still there well that information is actually stored in this particular registry key last visited piddle mr you actually talks about the or stores the the binaries that have been used to open or save those files in an open state petaluma are you actually contains the files themselves that are actually the paths for the files themselves that were open or safe there so that information if you've ever wondered where it is is located within that registry key that can provide some information including information about files that may have been since deleted in the system but maybe we see evidence that they were at one point browse to our opened with a particular program SOCOM dlg 32 and underneath it last visited piddle mr you and opens a fiddle mr you by the way mr you is most recently used you'll see that throughout the Windows registry we'll talk more about that in a second recent Doc's if we go over here and again I'm not going to show you every single one of these because that would take forever but recent docs is a pretty common one if we look at that there are actually various things that we can parse through here that will actually show recent things for example here's some link files I've recently opened registry explorer link file and here is another link file and here's a near soft tools link file so these kind of things in recent Doc's can actually show recent things that have been interacted with in the system recent things that have been opened or saved so recent docs is a very common registry key that we'll look at there are plenty of tools that will parse all these things for you automatically by the way in fact reg Ripper which is an awesome look the utility that's built into the Sam sift workstation and you know you can download it obviously and use it anywhere you want on any Linux box but it will actually parse the registry hives for you and grab all of this information but I think it's important that you know where it's located anyway and what it does so let's look at another one called run mru so if I bring up the run prompt here and I type in something like notepad that information this is actually stored in the run mru key if we look right here the first value you see here or the first one we're going to look at anyway is mr you list most reasonably used list you can see this be a F EDC that actually corresponds to this this means that in the run a blank in this order CMD was executed then just slash then it looks like PowerShell XE then mspaint then cmd.exe and then notepad so someone actually went to the run blank and ran those particular things and when we say someone we have to obviously know which user did it because we have their into user dot file so we know that that particular user is the one associated with running these particular programs from the run command prompt or the run dialog box I should say so this is a very interesting registry key to parse obviously for a number of different reasons now typed paths is another interesting one if we bring up the Windows Explorer here and I type an explicit location such as C colon backslash program files backslash ccleaner that particular path i explicitly typed into windows explorer that would tend to indicate that i knew what i was looking for and i knew of the existence of the past so another interesting thing is if we look at this key will actually see and again this came from this very system even though we're looking at an offline hi if i actually grabbed this hype' not very long ago maybe 20 minutes ago but will see a reference to C colon backslash MSF there is no C colon backslash MSF so that's interesting there's actually evidence of a path that once existed that's now been deleted MSS that hmm I wonder what that could be that could be Metasploit framework it could be well a number of different things but maybe that would be of interest to us so we'll actually see that here that means someone explicitly typed that path in the Windows Explorer as did they with C colon backslash and also C colon backslash program files slash sublime text 3 so that would tend to indicate that someone didn't just stumble upon it they explicitly type that path and Windows Explorer and you can imagine in an investigation that kind of information will be most useful another thing or the last thing actually in that first section was user assist now user assist is one of many different things that windows system that will actually show us evidence of application execution so user assist will actually show us when a particular program was executed and how many times it was executed and obviously we know which user executed it because user assist associated with the HBCU or into user gap file for a specific user so the values within it these goods actually correspond to various paths and there's a well known lookup table for all of the stuff and within it you'll actually have counts and there are a bunch of different things here that we can find for example this one has 186 objects but if you look at it it kind of looks like gibberish here that's because these values are rot13 encoded now rot13 is a simple substitution cipher it basically takes an alphabet and shifts it 13 characters so a becomes M B becomes n so on and so forth I'm not exactly sure why Microsoft chose to do this it certainly Optus gates it if you're just looking at the data it's very very easy to be obfuscate it by you know googling you know rot13 decoder or just writing one yourself which takes only seconds but there are also a number of different tools that will just parse this particular key for you automatically and pull out all the information in a nice GUI or at the command line but this information is very useful because we can show again when a particular GUI program was launched on a system how many times it was launched and who launched it so very very important when we're in forensic aiding a window system now if we go back over to the cheat sheet you'll also notice that very similar pads here under current version you've got run and run once both for current user and local machine these are locations one of 50 or more locations in fact on a Windows operating system where programs can be specified to start upon logging now one of many places where this can happen in fact if you look at for example let's look at task manager here and then let's click on the startup tab you'll actually see two things listed here the VMware tools core service and Windows Defender so on this system let's let up regedit actually let's look at it alive so if we look at regedit and we go to local machine software microsoft windows currentversion run will actually see those pads right there there's VMware tools and there's Windows Defender so those are again locations of things that are starting automatically with Windows the same path exists not only under HK local machine as you can see down here but the exact same path exists under current user which means user specific things that are starting at startup so in the next section of the video we'll actually talk about something called shell bags which is one of the oddly named Windows forensic artifacts will actually talk about what shell bags are and what forensic evidence they can provide by the way if I didn't mention it already this particular cheat sheet again I will link to in the description of the video you can also find it on my website at 13 cube comm so if you want to grab it and print out a copy of it for reference feel free to do that okay next let's talk about shell bags what are shell bags well as you can see under HK Cu software Microsoft Windows shell there exists some registry keys and values that are of interest to us bag em ru and bags now most of the time you are not going to parse shell bags manually you certainly could in fact to learn how to do that in the class I mentioned previously but most the time you'll use a piece of software like shell bag explorer or some other utility it will automatically parse that for you so what is it basically when you visit a particular path and Windows Explorer and you customize the icons and the look in the field the folder the window position the size the icons the sorting method all those things those are stored in shellbacks the reason why it's important from a forensic standpoint is because shell bags persist for things that have been long since deleted on a system so we might be able to find entire tree that are completely gone and haven't even existed on the system showing that at one point said path did exist on the system so there's all kinds of different forensic ways to parse that data and certainly a lot of advantages for looking at it let's briefly look at from the same people that brought us registries or we've got shell back to explore so let's load up shell bags explore and let's take a look at the live system if you recall earlier there was a path in the route of C called C colon backslash MSF which no longer exists if we go to file and then load active registry it actually gives us a parsing complete message and it shows how long it took and what it found but if we go down here we'll notice a ton of stuff that it actually parsed from shell bags and if we go down to my computer and then look at the C Drive we'll actually see an MSF directory now it's got some modified information and date information and path information and things like this but again this path presenting it exists on the file system anymore so the fact that we can actually see that it once existed and have some date and time information associated with that is extremely important you'll also see things like e D and s listed here now those are other network paths or removable volumes that once were mounted on the system but aren't we can go through those and parse those as well and see evidence that perhaps a flash drive was connected at some point and used to browse to a particular folder that contains some sort of you know they're anti forensics tool or some hacking tool that we're trying to investigate or maybe some contraband someone was using on the system or copying on the system we can find that information by parsing these shell bags and looking to see that those paths once existed and when they existed and where they existed in under which user they were accessed all of those kinds of things can be found by parsing shell bags now there are entire websites devoted to how to understand and utilize shale bags in forensic investigations I'm not even going to attempt to scratch the surface here I just want you to understand when you hear the term shale bags what is that and what is it used for and now you know at least the basics I would encourage you to read more on that there's actually some sands gold papers that have been done on that so you might want to check that out so again shale bags Explorer is a great tool and there are plenty of other ones that can be used to to actually browse those things they also by the way exist in all versions of Windows so there whether you're analyzing distil all the way up to Windows 10 you're still going to have Shellback to parse now in the next section we're actually going to briefly mentioned something called user class that I think I mentioned it earlier it's another section under which a user specific piece of the registry will be stored so we'll talk about exactly what that is and I'll show you where it is okay so now you know what shale bags are at least at a high level let's talk about us our class dot bat if we go over here we'll actually see on the cheat sheet that User Profile Act data local Microsoft Windows us our class death is the path that we're talking about for this particular registry hive this is something that we will certainly want to get when we grab data from a particular system of interest so again this is the path here and it actually plugs in to the live registry at HK cu software classes so user class dot bat is actually something that was added in Windows 7 and in fact this Windows 7 shell bags article will actually mention it but the basic purpose is segmentation from low integrity processes that do not have permission to read and write to the standard registry they can do so within user class that if you scroll down on this particular sans differ blog which is from 5 July 2011 you can actually see that it mentions that you need to parse both into user data and user class that and it also mentions the fact that she'll bag of information is actually present at this path in the user class net so we had just talked about shell bags but also know that shell bags are not only found in into user death or HDC you but also in user class data and again it even says here in oversimplify terms it is used to record configuration information from user processes that do not have access to write to the standard registry hives so again it was a security feature added to provide further segmentation within Windows 7 for registry hypes so again grab user class contact another important thing to mention is oftentimes the ftk imager is used to grab forensic data from a system a lot of times people will use a little safe icon here for obtain protected files please be aware that to my knowledge as far as this videos being recorded that button that icon does not grab user class stats from each user profile it does get into user cat but it doesn't grab user class on that so make sure that when you're indicating a system and grabbing that data that you do grab us our class bat and again the path for that is app data local Microsoft Windows user class dot dat so the next section we're actually going to transition to talking about USB devices which there are obviously tons of different reasons why we want to know which USB devices were plugged into a system in any given time and what was accessed and who mounted them in etc so we'll talk about that in the next section of the video ok so now let's talk about USB devices there are obviously a number of reasons why we would want to know what USB mass storage devices or flash drives have been plugged in to a given system and by analyzing the right registry pads we can find that information as you can see here hklm system currentcontrolset enum USB store and USB can provide a wealth of information now I would like to mention that currentcontrolset is displayed here you're only going to see currentcontrolset on a live system so on this live system if I load up regedit and i look at local machine and system sure enough here is current control set if I'm analyzing a forensic image that I've obtained previously however there will be no current control set instead I'm going to analyze control sets 0 0 1 but what if there were control set 0 0 2 0 0 3 and so on and so forth how do I know which control set was actually last used on the system there may be more than one if the system had had trouble starting up or windows had automatically attempted to correct some sort of issue on startup if we look at the Select pack here and look at the key called current as a value of 1 which would indicate the control set 0 0 1 is the control set that we want to analyze we could make that assumption in this case because there is only one control set but in forensics we don't make assumptions we look at the evidence and determine for sure by looking at the correct key and in this case again control says 0 0 1 is what we need to be looking at so let's get out of the live registry view here and let's actually load up the registry Explorer like we used last time now I can tell you during the last break I took a Samsung USB flash drive that had not previously been connected to this virtual machine and I connected it to it so I know what the serial number of that device is so I can identify it here and we'll actually look at it and see if we can determine some information so let's load offline hive let's browse to desktop and click on system now according to the cheat sheet we should look at again this is not a live system so there's no current control set but enum USB store and USB so over here we have got control set 0 0 1 sure enough there is no current control set enum and let's look at USB store there's one value here which is correct because there's only been one flash drive that I've recently plugged into this virtual machine it is a samsung flash drive and if I further expand this this string here is in fact the serial number for this device now because the ampersand is near the end of the string I know that this is likely a globally unique serial number and I would record that information if however I saw an ampersand in the second character of the string that would indicate that the manufacturer of that flash drive did not follow Microsoft guidelines and did not assign a globally unique serial number to the device so Windows would automatically generate a serial number that would be unique on that system but not globally unique in this case this is a Samsung flash drive and it does have a globally unique serial number and this is it so I would certainly record this information ending in two two two seven seven so now I know the make of the flash drive that it's Samsung and I know the serial number if you look over here I also know the last right timestamp of this particular key 2017 63 + o4 27:34 now these times as are all times and windows are recorded UTC because this UTC I would need to convert it in upon converting it that would be 12 27 a.m. which was about 30 minutes ago and that's correct that's when I first plugged that drive in so that's an interesting piece of evidence right there I know the first time the drive was connected if you look over here I can also see some more easily readable information samsung flash drive duo 1100 it says here so now let's expand the USB key and we'll see some vid and pin entries be vid in the pit by searching on google we can find various look-up tables for bits and pits and we can actually find a more specific hardware make and model of the device by matching the vid and pig to a known database if I look at the Vigilant it's listed here this first vid and pit happened to correspond to the serial number we saw below 2 to 277 therefore I know that the vid is 0 9 0 C and the pit is 1000 if I looked at that information that would tell me more information about the make and model of this particular samsung flash drive so again good stuff there now the next key this listed on the cheat sheet is under the software highs because I've opened the system hive here we'll need switch so I'll go ahead and unload all hives and I'll go to file and load offline hive and then this time I'll choose software now while that loads the path I'm looking for is going to be Microsoft Windows portable devices devices so under the software registry hive once it loads we'll browse to that particular path now while we're waiting on that we will actually go back to the system hive after we're done parsing that and look at a key called mounted devices where we can find additional information this is a particularly large registry hive so it may take a little bit to load here it is so now again we're under Microsoft Windows portable devices devices so there's Microsoft scroll all the way down here Windows portable devices devices now it appears that I have three listed here if I mouse over each I'll actually see that the second one corresponds to the serial number of the device in question it even says Samsung and you'll see the two two two seven seven for the serial number over here we'll see friendly name and then the data is sticky sticky is in fact the name of the volume for that flash drive that I plugged in so now we know even more information again if we look at the last write time stamp we can actually see four twenty seven thirty five so we again know in UTC time and date that particular flash drive was was on the system so now we'll switch back over to the system five so once again let's unload all hives and let's go to file load offline hive system will give that a second to churn and this time we're going to be looking at a key called mounted devices so if we look at mounted devices we'll actually see on the right side many different entries here so we'll need to do is match up the serial number in order to find the do it now a good is a globally unique identifiers some people call them lids I call it do it but whatever it's a globally unique identifier for that particular item on the system so let's scroll down to here and it looks like USB source samsung flash drive 0 1100 and you'll see 2 2 2 77 for the serial number so this is the device and now it appears that I can copy this particular value and now I've got the actual volume good for the USB device this is an important information the piece of information that I want to record because the volume good would be globally unique on the system and any other references to that volume good could show evidence that that flash drive is used for various things now we can also look at the serial number to obtain the drive letter of whatever Drive letter was assigned to that device and you can see right here that sure enough USB store samsung flash drive duo Rev 1100 here's the serial number T 2g 77 I therefore know that this was mounted as the e Drive on the system so now I know the make and the model the vid and the pid' the serial number the volume name that it was mounted as e and I even know the first and last time that it was mounted so all of this information is extremely valuable and again I would record all this information in an investing for any USB external devices that would be of interest to me now there are numerous tools including some from a company or individual called near soft nirs oft there's also USB device forensics and several other different utilities that you can use to parse all those information automatically for you but it is important to understand what those tools are doing and how to find that information mainly yourself also as a point never rely on a single tool always have more than one way to get the data and if you've got two different tools that are giving you two different outputs with conflicting data then you've obviously got a problem so again it's important to know where this information is actually located so you can manually parse it should you need to now the next key which is software Microsoft Windows NT current version EMD MGMT which stands for external memory device management is only going to be present if the device in question is not a solid-state drive it was actually used for something called readyboost back in Windows Vista and you can actually find the serial number to obtain the volume serial number of a USB device now the volume cylinder serial number will be actually displayed in decimal but you can convert it to hex what I mean by that is if you load up like a man prompt here and I type vir you'll notice right here volume serial number which is in hex this is the volume serial number to which we are referring and the interesting thing about this key is that again it's not an SSD you can actually find an entire history of volume serial numbers for the USB devices even if the device has been formatted multiple times will actually have a history of the volume serial numbers now again this is not the serial number of the device but the volume serial number so that that's a bunch of interesting information that we can also obtain we can show how many times the device was formatted and what it what it was previously assigned what it was called what the previous volume serial number was so on and so forth now the next thing we'll look at is the fact that the volume gooood that we found in system mounted devices can actually help us find the user that mounted the USB device which is another piece of interesting Meishan so by that if we go to file unload all hives and go to file load offline hi this time we'll load up into user dad now as we're loading up into user dad which again analog system is HT current user we can go to the same key that we mentioned debars same path we mentioned above which is Microsoft Windows version Explorer there's actually another key under here of interest called mount points to I don't know what happened to mount points one I guess that's not important but mount points to is what we're looking for so again the full path of that was software microsoft windows currentversion so let's go ahead and drill down software microsoft's windows currentversion now we're going to go under the explorer which is where we started with this video and if we look down here sure enough there's mount points too now according to the cheat sheet here we can actually use the volume good to find the user that mounted the USB device well the volume good ends in FB 35 be it appears so if we take this column and expand it a little bit there's FB 35 B so now we know and by the way there's the timestamp associated with it last right timestamp we know that the user last mounted this device at this particular date and UTC time now obviously we know what user it is because we're looking at this users into user dot file which is my user so now I know that my user mounted this very flash drive in addition to all the other information we can add that to the list so again you can see how that would be very very powerful now we can find also by parsing system current control setter again control set 0 0 1 or so on and so forth on a non live system enum USB store the vendor product version USB serial number and then underneath the serial number there's a key called properties and this good remain the same it ends in B 29 if I look at this good and look for the values zero zero six four zero zero six six and zero zero six seven I can actually find the first time the device was plugged into the system the last time the device was connected to the system if we're talking about Windows 8 and later and in with Windows 8 and later I can even find the last time the device was unmounted and removed from the system so again underneath this long path here there's a properties key ending in b29 for the good and if I look at zero zero six four six six or six seven I can find the first time the device was installed the last time it was connected in the last removal now the last connected time could also be found by looking at the last right time of the enum USB vid pin key that we looked at earlier or the mount points two good key that we just looked at the first install time can actually be found in setup API log or setup API devlog now in Windows XP it was called set up API blog located in the root of the Windows folder and then in Vista and later it actually lives in Windows INF set up API devlog but that actually contains plug-and-play hardware installation information so it would actually show us the first time that these are actually plugged in that USB device the first time the system saw that USB device so again additional information that will be very valuable in an investigation now I mentioned earlier USB device forensics this is an application written by one where and it can automate all of these things but as I said you need to know what the tool is doing don't just blindly depend on a tool to parse the information for you you need to understand what it's doing behind the scenes and maybe you would even want to double check the tool tools aren't perfect but if you get output from tool that doesn't look quite right or is not what you're expecting then go and manually visit these particular registry keys and and you can look and determine whether or not you believe that information is correct okay so back to the Windows 10 VM let's go ahead and take a look at these last two forensic artifacts four USB devices so I've got registry Explorer opened and I've open the system hi and I've drilled down to control set 0:01 in um USB store I found a particular USB device in question which is the Samsung device from earlier you can see the serial number t2 277 that we saw earlier underneath that properties and underneath that you'll notice in bold is that particular good that I referred to earlier that ends in B 29 so underneath that you will actually find zero zero six four zero zero six six and zero zero six seven let's take a look at each of these zero zero six four and again you can refer to the T chief that's the first install time the same information could also be found in setup API blog but if you look over here you will notice that 6-3 2017 427 34 a.m. UTC was listed as the install time the first install time for this particular USB device and that is in fact correct that is the time I first plug the device in for 27 34 now 66 right here 0 0 6 6 will show the last connected time the last connected time is the same 6 3 2017 for 27 34 UTC that would tend to indicate that the first time I use the device was the last time I used the device so I plug the device in once to this VM and that is in fact correct so another useful piece of information again you could also find similar information by looking at the last right time of the USB serial number key under enum USB vid Pig or you can look at the mount points to slash good last drive time as we mentioned earlier to find the last connected time but again that's 6 6 and now if we go down to 0 0 6 7 which is available in Windows 8 in later we'll actually see the last removal time you can see about a minute later for 2840 UTC I remove the drive from the system and that is absolutely correct I headed in there for around a minute or so and ejected the drive so again these particular keys and values provide additional forensic information about USB devices and certainly this information could be very valuable Turing the forensic investigation and then of course I mentioned that setup API under XP or setup api devlog under vista and later it will contain a lot of useful information as well specifically with regards to the information you would see in 0:06 for about first install you can see here I've got notepad C colon backslash Windows backslash I NS backslash setup API devlog now if we pull that up sure enough here is the device install log to this particular computer and if you scroll down through here you would also be able to find the same information that you could find in the zero zero six four key so let's go back over to the cheat sheet and now it's time to move on to the next section which is basically going to be a combination of miscellaneous information that you may want to grab when you're conducting a forensic investigation so we'll take a look at that next okay so let's head back over to the Windows 10 VM and take a look at some of these miscellaneous registry keys that may provide useful information during a forensic investigation you can follow along on the cheat sheet starting here so I've got the system high of still open with registry Explorer I'm under control set 0 0 1 and let's go ahead and drill down underneath that to control and timezone information anytime we are conducting a forensic analysis of the system the time zone information is going to be very very critical so you would certainly want to record that before you begin your analysis that way any time zone conversions that you make or event correlation you perform is accurate a lot of times when we forensic 8 a work station we'll choose to work in UTC so that we don't have to worry about any said two times younger versions but perhaps we are writing a report or providing some additional information it is also necessary to know what time zone the computer is in for performing any of those conversions and again you can see here the time zone key name is Eastern Standard Time so again very important information here and we would certainly want to record that another thing underneath control would be the computer name the computer name of the particular computer that were analyzed so if you go up here to computer name and drill down to computer name and then underneath that computer name we finally have the name of the computer which in this case is Catan VM that's Star Trek The Next Generation reference if if you get that but this is the name of this particular VM so again another important piece of information that we might want to record during a forensic investigation now the next key that we're going to look at is honor to control but it's actually under services and underneath that we're going to scroll down to land man server and land man server is actually going to have some information with regards to any shares that are configured on the system so under land man server will see shares and we actually have none on the system which is correct I don't have any any particular shares other than the default admin shares you know see dollar and so on and so forth but if I had any shares configured on the system I would find them there so again this is another useful piece of information on a forensic workstation that may be applicable to your investigation and you may want to record that information another one under controlled again if we go back there is a particular key underneath control that is called file system and file system if we look at it actually has a very long T called NTFS disabled last access update so if you're familiar with Windows timestamps which we really haven't discussed here you've got what's called Mac betimes that's modified access changed and berthed Mac B those refer to timestamps that are collected within the NTFS file system for different objects within the NTFS falses or different files and things of that nature so we've got for any given file a modified time an access time an MFT record change time and a birth time which is the files creation time by default NTFS disable last access update which we will find here in this particular area is set to 1 which means it is disabled that means that access time stamps in other words the a and the Mac B the access time stamps are off by default which means that simply accessing a file will not necessarily change the access time stamp associated with that file that's done likely for performance reasons and while you could go in and modify this it is not something that is normally done and it is turned on which means it is disabled by fault so you may want to take note of that and it may be different on the system you're analyzing but it's unlikely and again that means that the access time stamps should not necessarily be updated every time a Philo's access they are updated under various circumstances and we'll get into that in a future video but that that is an interesting registry key to note so moving down the cheat sheet here if we go back to services there are other pieces of information here that will certainly be valuable to a forensic investigation so going down to services we can scroll down all the way near the bottom to tcp/ip one can actually get a wealth of information with regards to the network configuration on this particular system now we're also going to talk about that in some future artifacts here on the cheat sheet but if we just wanted to record for example some information about the interfaces configured we can drill down into tcp/ip parameters interfaces and we've got various interfaces here and as you can see here on this first one I've got the HCP IP address the subnet mask the DHCP server the least time and various other pieces of information here and the same information was recorded for these other adapters as well so certainly very important information that we would definitely want to record during a forensic investigation what IP address was assigned to this particular system when we're forensic ating it so again this is under the services tcp/ip parameters interfaces configuration here so again very very important this displays interfaces and their associated IP address configurations and you'll certainly want to record the interface goods as well here in your forensic notes so next we're going to move on to something called network location awareness which was actually something that was added in Vista and later so that'll be our next section of the video okay network location awareness or in LA was included in Windows Vista and later and what it does is it a grits network information for all the different networks that a particular PC is connected to it generates a gooood for each network which is almost like a network profile now the Windows Firewall will use that information to apply firewall rules to the appropriate profile but we as forensic investigators can use that information to find evidence of every network that a machine is connected to using these Annaleigh registry keys so looking at our cheat sheet it says here to check the last right time of the key to determine the last time a PC connected to a particular network so again very important information can be gleaned from this particular key Center software Microsoft Windows NT not windows currentversion network list so back on our Windows 10 VM here I've actually gone ahead and opened the software hive with registry Explorer and I've drilled down as you can see the Microsoft Windows NT current version network list signatures unmanaged and underneath this I've actually got three different profiles that appear so I'll click on the first one and I'll see things like default gateway Mac which is in fact the MAC address of the Gateway used for this particular connection now obviously I can glean some information from this I could take the first half of the MAC address which is do UI and determine the the organization to which that dealer o UI was assigned so that might be interesting I can look at the DNS suffix in this case not very interesting it's just local domain but it may be a corporate network or something to that effect first network which on a wireless connection will actually read the SSID of the network and then the profile good which we'll want to take note of for each of these in this case it ends in be C 6 so referring back to the cheat sheet there's actually a profiles key here and underneath that here's V c6 and if I refer to it there'll actually be a name type value here six-six is indicative of a wired network 47 would be indicative of a wireless network and 17 would be a broadband network something like a cellular modem connection or W when something like that so we'll also find here date created and date last connected now these are kind of odd-looking dates the reason why is because that's actually a 128-bit Windows system time structure sword in UTC so I know we were talking about time conversion earlier there's actually a neat little utility I'd like to mention it's called decode this particular version is 4.0 2a and this neat little utility will convert all kinds of time and date values if we look at the drop down here it's not just windows either it'll do windows and linux and unix time stamps of various kinds but I'm going to select windows 128-bit system structure now this particular data actually has dashes in it it does not want the dashes I can tell you from experience and I've gone ahead and copied it and removed the dashes so I'll copy that which ends again and b01 which you can see is the date created time here I'm going to paste it here and click decode you know actually see apparently this day created date is actually Monday 6 February 2017 1938 so very interesting information I could do the same thing for date last connected to actually determine both the first and last time this particular network was used and of course I can do that for each of these these profiles so as you can see the NLA information here would be very valuable in the system now it's also important to note if you look back at the cheat sheet that there's also hklm software microsoft windows currentversion homegroup which will also source and network related information in some cases and back in the Windows XP days we actually found the same thing under software Microsoft wccsd C parameters interfaces and a good that was the windows 0 configuration service and you could use the last right time with the key there to determine the last time the net was connected so back to our cheat sheet let's go ahead and move on to the next section which is linked file analysis okay it's time to have the talk the talk about linked files do not ignore LNK files in your forensic investigation they contain a wealth of data now you may be familiar with the files from manually creating shortcuts to programs or various other things on your system but you may not realize that Windows automatically creates linked files for a number of different actions that you perform on the system if we go over to the forensics wiki website which is a fantastic digital forensics resource and look at the LNK file article here we'll actually see that it says the Windows shortcut file has the extension dot lnk and it's basically a metadata file that's used throughout the Windows platform now the signature of the file is 0 X 4c as you can see here for C 0 0 0 0 0 0 for carving for them which is something we often do but you may not realize all the different metadata associated with in one of these files for example the mac x of a target that the link file is referring to can be found within that link file as well as the original path of the file the size the serial number of the volume where it was stored the network volume share information the attributes even in some cases the MAC address of the host computer on which the leaked file existed and various other pieces of information now this is important because let's say there's a very imported file that you believe once existed on the system but it's been a race may be securely erased what the person may have forgotten to do is delete the link files associated with that file and we can glean a huge amount of information and prove that the file that once existed on the system by analyzing those link files so if we go back over to our Windows 10 VM we can see here that I'm in my user profile under app data roaming Microsoft Windows recent so on a desktop here I'm actually going to right click and create a new text document well let's call it secret dot txt and we'll just go ahead and say this is a secret file I'll go ahead and close and save it and now you'll notice secret text on the desktop you'll notice secret text here under recent items but this is actually secret txt LNK this is the link file associated with the creation of secret text so let's copy this file and let's take it over to the sift workstation and paste it and let's use EXIF tool which is commonly used to analyze metadata from pictures and various other files and if we do that we'll actually see that there's a good bit of information that we can glean from this particular linked file we can see the original file size with the target along with the mac x we can see information about the attributes associated with the file we can see the original path for the file the fact that it was on a fixed disk the label of the volume on which it was accessed which is OS the working directory even the name of the machine on which the file existed so a huge amount of information now there are also utilities from TZ works like LP Exe which is referenced in the cheat sheet and various other utilities that can analyze linked files as well but the important thing to know is do not ignore them if you're performing triage on a system and you're grabbing subsets of the information you need to perform forensic analysis on a system and you grab the registry hives let's say and you know into user dad and user class dad and various other things in the system do not ignore lnk files grab them if you're building a custom content image with ftk imager for example make sure you include LNK files as part of that data that you grab because there are plenty of things here that will help you with in the investigation now looking at the cheat sheet you'll also notice there a couple of subdirectories that can exist called automatic destinations and custom destinations these are associated with something called jump lists which were things that were juiced with Windows 7 is actually a feature of Windows 7 and what it does is it actually provides on the taskbar a way to quickly access files that you've recently interacted with for example if you have word on the taskbar and you hovered over it you might see a list of recent files that you've interacted with with word so automatic destinations and custom destinations just contain additional link files that can be analyzed I'm not going to get into the specifics here but I would encourage you to read this article about jump lists on the forensics wiki as well as the original article I showed you just about Windows shortcut files in general and again there are a number of different utilities that can parse these files but the important thing to take away from this is learn more about linked files and do not ignore them in your investigations so this video is getting fairly long at this point as you can see we've only scratched the surface of the vast majority of things that are available here on on a Windows System to analyze and forensic 8 and we'll actually move into our final section next which is going to talk about prefetch and super fetch ok we are now in the final section of this video and if you've made it this far thank you for watching we're now going to discuss prefecture and super fetch both of which are part of the Windows memory manager now prefecture was less capable version included in Windows XP but it was actually extended by something called super fetch in Windows Vista we also had in Windows Vista ready boost and ready boot if you remember those all three of these have in common the fact that they attempt to improve the user experience by caching data that is frequently used in access in the system to make it faster for the user so like all of the other forensic artifacts that we've looked at these things were put here by Microsoft to again perform some other function other than forensics but as forensic investigators we can leverage this to show evidence of application execution now in the beginning of the video you were called we talked about user assist which showed evidence of GUI based application execution and that was a registry key tied to a specific user so it was in the current user hayver into user data file so with this prefetcher we can actually look at evidence of application execution globally for all users in the system and it would include not only GUI based applications but things run from the command line as well now because this is not a registry key it's not tied to a specific user per se but we can still gain a wealth of information by analyzing these files if you look I'm in Windows prefetch on this particular Windows 10 VM and you'll see various things executables in all caps like calcutta XE followed by a dash and then what looks like a trand Americus those random looking characters are actually a hash of the files packed on the system so for example with cmd.exe there's only one prefetch file associated with it but if there were another cmd.exe on the system looking in a different location we would actually have a second prefetch file for it with a different hash indicating that it's a different path on the system which might be of interest ending of itself the fact that we would have more than one cmd.exe present so there are a number of tools that can analyze these particular files but the one I'm going to show you is wind prefetch view which I've already loaded here this is a tool from near soft NIRS oft they make a number of different free forensic utilities that provide all kinds of useful information so you might want to check those out what I'm going to do is run a particular piece of software really a program called wind ver which just displays the about windows dialog box now I'm just going to close this I have not run this previously so the reason why I did that was to show you that there is no wind verb present there's no prefetch file but if i refresh it refresh the screen here I can actually go down and I see wind ver now and if I double click on it I'll actually see some interesting information including the the process executable name the path the run counter in the last run time showing that I've run it once and it was last run on this particular date if I run it again and then once again refresh the data double click on it you will notice the run counter is now 2 and I have two timestamps for last run time so very interesting information can be gleaned from this and again this is not just for GUI based applications as was user assist and by the way there are certainly other things that we can look at to determine evidence of application execution things like recent file cache VCF and AM cache I'm not going to cover those in this video but perhaps in a future video we'll discuss this so in this video this is the second thing that we've looked at in addition to user assist we've now got prefetch that can show us evidence of application execution on a system now the final thing I'll show you is in the registry there is actually a key which will go ahead and load up regedit and look at the library in the system there's a key under local machine system currentcontrolset control session manager memory management prefetch parameters you can see the full path here at the bottom the enable prefecture key has a value of 3 which if you look at the cheat sheet you'll see that's the default which does mean that application and boot prefetching are enabled now if you do not have prefetch files in a particular system it could be because this is disabled it is important to note that on Windows server operating systems prefetch is not turned on by default so that might be something interesting to know but if you're analyzing a desktop operating system prefetch again will provide you with a wealth of information and certainly you would want to grab PF files when you create custom content images I mentioned before the importance of link files will certainly don't forget PF files either because they'll show us all kinds of important information with regards to applications that have been watched on the system so that concludes this video I'm sorry if it went a little long but there were a lot of things to cover as you can see and we've only scratched the surface of the wealth of forensic artifacts that are available in the Windows operating system I'll probably do some future videos to cover more specific things but at this point I think if you've covered the content to this video you'll have at least a solid foundation for the basic and very common Windows forensic artifacts that we often look at so again I'd like to invite you to subscribe to the channel like the video and all the other YouTube stuff that I'm supposed to say at the end of every video and I would like to thank you for watching