introduction accessdata ® forensics forensic analysisincident responseediscoveryinformation...
TRANSCRIPT
![Page 1: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/1.jpg)
Introduction
ACCESSDATA® FORENSICS
Forensic Analysis Incident Response eDiscovery Information Assurance
Windows 7 Registry Artifacts
![Page 2: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/2.jpg)
Module Objectives
• Registry files of forensic importance– NTUSER.DAT
– SAM
– SYSTEM
– SOFTWARE
– SECURITY
![Page 3: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/3.jpg)
• Addresses either typed or copied into the Browser address bar
• Tracks up to the last 25 entered
• Last one entered is on top
NTUSER.DAT – Typed URLs
![Page 4: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/4.jpg)
MRUs – Recent Docs
• Stored by extension• Stores last 10 of each extension type (0-9)• Creates new extension subkey if new file type
![Page 5: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/5.jpg)
MRUs – ComDlg32
• Windows 7 Displays 5 subkey sets• CIDSizeMRU
• FirstFolder
• LastVisitedPidlMRU
• LastVisitedPidlMRULegacy
• OpenSavePidlMRU
![Page 6: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/6.jpg)
ComDlg32 – CIDSizeMRU
• This subkey track applications globally
• 592 byte values
• Little data beyond the application name/extension
![Page 7: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/7.jpg)
ComDlg32 – FirstFolder
• Tracks the general install location of applications
• In some instances, will point to a user location
![Page 8: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/8.jpg)
ComDlg32 – LastVisitedPidlMRU
Registry Viewer.exe: J:\ _WIN7 3 Day\test regback
![Page 9: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/9.jpg)
LastVisitedPidlMRULegacy
• Windows
Legacy tracks 32 bit application data
![Page 10: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/10.jpg)
MRUs – ComDlg32
• Stored by extension
• Stores last 20 (0-19)
• Creates new extension subkey if new file type
Note: The MRU list is stored in hex while the value
name is in decimal
![Page 11: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/11.jpg)
ComDlg32 – OpenSavePidlMRU
It makes a difference to these values as to where the
document wasExternal Drives show drive
letter at offset 23
![Page 12: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/12.jpg)
ComDlg32 – OpenSavePidlMRU
User created locations are also
displayed at offset 23
However known paths to Windows
are not displayed
This file was stored at My Documents
![Page 13: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/13.jpg)
ComDlg32 – OpenSavePidlMRU
This was a document on the “Desktop”
It archives the path statement from there
without identifying the Desktop origins
This was in “My Documents” and the 12,560 byte value identifies
the full path at the end
![Page 14: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/14.jpg)
Pointer to an Item Identifier List
• PIDL – Pointer to an Item Identifier List
• MS has virtual or “shell” folders
• My Computer
• My Documents
• Stored with a series of values (Item IDs - each object) rather than a path as they don’t exist in the file system
Shell Folders
User Created Folders
PIDL
![Page 15: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/15.jpg)
MRUs – RunMRUs
• Stored commands from the Run box• Stores last 10 (a-j)
![Page 16: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/16.jpg)
MRUs – MS Office 2007 / 2010
• File MRU in Office 2007 records 50 of the last accessed docs
• Functional in Excel, PowerPoint, and Word (2010 included Access)
![Page 17: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/17.jpg)
• Office 2007 has a date / time identifier in the MRU
• 64-bit Windows date / time stamp identifying:
• Excel – Last opened by user
• PowerPoint – Last saved by user
• Word – Last opened by user
MRUs - MS Office 2007 / 2010
Note: This date stamp is stored in Unicode and in a Big Endian format. Registry Viewer currently does
not have a converter that can read the values.
![Page 18: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/18.jpg)
Copy and decode the format to view the date / time of save
MRUs – MS Office 2007 / 2010
![Page 19: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/19.jpg)
Windows 7 – Start > Searches
![Page 20: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/20.jpg)
Windows 7 – Start > Searches
• Set the folders to index at:• Control Panel > Indexing Options
• Registry WorkingSetRules displays both default and user created index locations
![Page 21: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/21.jpg)
TypedPaths – Windows Explorer
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
![Page 22: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/22.jpg)
• Different GUIDs from previous versions– CEBFF5CD-ACE2-4F4F-9178-9926F41749EA– F4E57C4B-2036-45F0-A9AB-443BCFE33D9F
• GUIDs also used to identify paths
• Offsets have changed– Number of application launches– Last date/time launched
• Session ID has been removed
• The count value now starts at “1” instead of “5”
Windows 7 – UserAssist
![Page 23: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/23.jpg)
Different GUIDs for the Count Subkeys
ROT13 Encryption
Date and Time of Last Launch – Offsets 60-67
Number of Launches – Offsets 4-7
Windows 7 – UserAssist
![Page 24: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/24.jpg)
Protected Storage
• Storage1 – Queries and Form data• Storage2 – Stored Logon Passwords
![Page 25: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/25.jpg)
Protected Storage
• Encrypted using the Windows DPAPI• Cryptographic system uses:
– User’s logon password– Protect folder– URL or query header
Data Protection Application Programming Interface
![Page 26: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/26.jpg)
Cracking Protected Storage DPAPI
• Export from Image:• NTUSER.DAT of suspect (stored encrypted data)
• SAM and SYSTEM Files (for logon password)
• Low History index.dat file (for website passwords)
• User’s Protect folder (DPAPI encryption keys)
• Attack user’s logon password • Dropping the SAM file into PRTK
• Point PRTK to the SYSTEM file
• Create an empty text file to parse results to
![Page 27: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/27.jpg)
Protect Folder
Logon Password
index.dat History
Results - Text File
NTUSER.DAT Protected Storage Attack - PRTK
Cracking Protected Storage DPAPI
![Page 28: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/28.jpg)
UsrClass.dat - MuiCache
MuiCache
Windows 7
Windows XP
![Page 29: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/29.jpg)
D&T Synch via Internet – File Sys
![Page 30: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/30.jpg)
D&T Synch via Internet - Registry
Type = NTP (enabled)Type = NoSync (disabled)
SYSTEM\ControlSet###\services\W32Time\Parameters / Type
![Page 31: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/31.jpg)
Transition to 64-bit Windows
• Requires 32-bit backwards compatibility• Requires a few tricks to run 32-bit apps
• File System 32-bit utilities are here:• Windows\SysWOW64• System32 contains 64-bit utilities
• Registry 32-bit keysets are here:• Wow6432Node located in these files:
• NTUSER.DAT• SOFTWARE
![Page 32: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/32.jpg)
SAM – Multiple Profile Issues
0x 000003F6 = 1014 decimal
![Page 33: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/33.jpg)
• Resolution of SID to User• User Profiles/Names
Password Hint
User Tile (user icon)
SAM File Information
![Page 34: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/34.jpg)
RID – Offset 48-49Last Logon Time – Offsets 8-15Logon Count – Offset 66-67
F Value
SAM File – F Value Properties
![Page 35: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/35.jpg)
User NameUser Full NameDescription
V Value
SAM File – V Value Properties
![Page 36: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/36.jpg)
• Administrative tool used to rights to a collection of users
• Custom Groups are located at:– SAM\SAM\Domains\Account\Aliases
Useful in corporate investigations to see if a person had specific rights to accomplish a task
Or used to determine missing RIDs
SAM File – Groups
1F41F53E83E93EA3EB3EC3ED
500501
100010011002100310041005
![Page 37: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/37.jpg)
• Computer Name• Mounted Devices• Time Zone Information• Last Accessed Date / Time
SYSTEM File
![Page 38: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/38.jpg)
ComputerName Subkey
Change of Computer Name
Upon reboot, both values will change
ActiveComputerName
![Page 39: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/39.jpg)
• Tracking HDDs in the image
SYSTEM File – MountedDevices
The current partition on the physical F DriveThe persistent value remains even if the F Drive is overwritten
![Page 40: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/40.jpg)
SYSTEM File - MountedDevices
Drive ID listed in Mounted Devices is stored
in the MBR at
offset 440
![Page 41: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/41.jpg)
0 = Automatic Adjustment for Daylight Time is Turned ON
1 = Automatic Adjustment for Daylight Time is Turned OFF
SYSTEM File – Time Zone Info
![Page 42: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/42.jpg)
SYSTEM Registry
File
SYSTEM File – Last Access Date
![Page 43: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/43.jpg)
1 = Updating Disabled - Default
0 = Updating Enabled – Changed by User
Last Access Date/Time
![Page 44: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/44.jpg)
• Registered Owner• Operating System Type• Operating System Installation Date/Time
SOFTWARE File
![Page 45: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/45.jpg)
• Last logged on user
Microsoft\Windows\CurrentVersion\Authentication\LogonUI
Computer Name User Name
Records the last written time as the system powers down
Last Logged On User
![Page 46: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/46.jpg)
Wireless in Windows 7
\Microsoft\Windows NT\ CurrentVersion\
NetworkList\Profiles\<guid>
SSID – Service Set Identifier
Category0 = Public1 = Home2 = Work
Managed0=Unmanaged1 = Managed
![Page 47: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/47.jpg)
Date and Time Translation
D7 07 06 00 04 00 0E 00 10 00 1B 00 2A 00 AB 00
Year Month Day of Month
Hour Minutes SecondsDay of
Week
2007
June Thu 14th 16 27 42: :
NOTE: The time is displayed in local time to the machine0=Sunday, 1=Monday, 2=Tuesday, etc.
![Page 48: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/48.jpg)
Managed versus Unmanaged
ProfileName
Managed: Remote Server
Unmanaged: Wireless Router
MAC Address of remote system’s gateway
![Page 49: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/49.jpg)
MAC Address
Media Access Control (MAC Address)
![Page 50: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/50.jpg)
Date and Time Translation
The next series of slides will track this Verizon device through the
Wireless keys
Before we start, let’s look at the dates and times of the Profiles
subkey for comparative purposes
![Page 51: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/51.jpg)
Date and Time Translation
DateCreated:
DateLastConnected:
10/21/2010 09:02:48
01/19/2011 21:34:37
NOTE: This stored date and time is based on local machine
time, not UTC
![Page 52: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/52.jpg)
Wireless Registration
The Wireless subkey name is an ID number for the wireless connection
Because this key is written during the original connection only, it retains the date and time of first connection
![Page 53: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/53.jpg)
Unmanaged
The identifier can be traced from the Wireless subkey
to the Unmanaged subkey
Note the header before the identifier
![Page 54: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/54.jpg)
Unmanaged
• The Unmanaged subkey provides:• Profile GUID• Description• FirstNetwork• DefaultGatewayMac
Again, because this subkey is generally written to only during creation, it stores the first
connection date and time
![Page 55: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/55.jpg)
Profiles
The ProfileGuid in Unmanaged points to the devices information in the Profiles subkey
Since this key is subject to modification with each new connection, the last written time is indicative of the last connected time as well.
![Page 56: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/56.jpg)
Wireless User
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\<guid>
![Page 57: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/57.jpg)
Wireless User
At the bottom of the Wpad keys will be a
series of MAC addresses
This can be matched up to the
MAC addresses listed in the
Unmanaged keyset
During testing, times did not match exactly but were close for the first connect time
Once backtracked to the Unmanaged key, the ProfileGUID will allow checking the other user connections through this device
![Page 58: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/58.jpg)
Recycle Bin
NTUSER.DAT File
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume
System File
• MaxCapacity – MB
• NukeOnDelete
• 0=On
• 1=Off
![Page 59: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/59.jpg)
• Old password cache for domain storage
• Last logged on user password cache
SECURITY File
![Page 60: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/60.jpg)
Password Recovery
Current Password
Policy\Secrets\DefaultPassword
Previous Password
![Page 61: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/61.jpg)
• Registry Files of forensic importance– NTUSER.DAT
– SAM
– SYSTEM
– SOFTWARE
– SECURITY
Module Review
![Page 62: Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e115503460f94afd291/html5/thumbnails/62.jpg)