Windows Forensics

Windows Forensics is the method of gathering information about the target Windows system.

System Information

IP Address & MAC Address

Below are the location of the file which contains the information of IP address and MAC address.

# Look@LAN is a network monitoring tool. So if the system uses the tool, we can retrieve the information of the network.
# LANIP -> IP address
# LANNIC -> MAC address
c:\Program Files (x86)\Look@LAN\irunin.ini

Network Cards

The name of the network card is such like “Intel(R) PRO/1000 MT Desktop Adapter”.

c:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_1_2_3_45_67.etl

PowerShell History

Sometimes PowerShell command history contains the sensitive information about the system.

c:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Malware History

Suspicious activities are likely detected by Windows Defender.

c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\

Event Logs

Event Viewer

Below is the list of item worth noting.

Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
Applications and Services Logs/Microsoft/Windows/PrintService/Admin

In each item, we can find the desired list by specifying the keyword in the “Find” action in the right pane.

PowerShell

Also we can see event logs from a logfile in PowerShell.

Get-WinEvent -Path  .\Example.evtx -FilterXPath '*/System/*' | Sort-Object TimeCreated

Processes

Process Monitor

To get the parent PID of the specific process, click “Filter” icon and enter the process name (e.g. “spoolsv.exe”) then select “Include”, and click Apply. Right-click on the highlighted item and go to “Process” tab. We can see the parent PID.

Registry Hives

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

Registry Editor

We can find registry keys in the Registry Editor.

Click on the Windows icon and select Run.
Enter “regedit” in the input form. Registry Editor opens.

File Locations

Registry Hives are located in C:\Windows\System32\config.

DEFAULT (HKEY_USERS\DEFAULT in regedit)
SAM (HKEY_LOCAL_MACHINE\SAM in regedit)
SECURITY (HKEY_LOCAL_MACHINE\Security in regedit)
SOFTWARE (HKEY_LOCAL_MACHINE\Software in regedit)
SYSTEM (HKEY_LOCAL_MACHINE\System in regedit)

The other hives are located in user home directory (C:\Users\<username>)

NTUSER.DAT (HKEY_CURRENT_USER in regedit)
It contains the information of the user account settings. It is located in C:\Users\<username> .
USRCLASS.DAT (HKEY_CURRENT_USER\Software\CLASSES)
It stores the ShellBag information for the Desktop, ZIP files, remote folders, local folders, etc. It is located in C:\Users\<username>\AppData\Local\Microsoft\Windows .

Amcache Hive is located in C:\Windows\AppCompat\Programs\Amcache.hve . It stores the information on programs that were recently run on the system.

Acquire Registry Data

Gather Information From Registry Hives

We can retrieve information using Registry Viewer or Registry Explorer.

OS Version

SOFTWARE\Microsoft\Windows NT\CurrentVersion)

Current Control Set

SYSTEM\ControlSet001
SYSTEM\ControlSet002

Computer Name

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

Time Zone

SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Network

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

SAM Hive & User Information

SAM\Domains\Account\Users

Recent Files

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explore\RecentDocs

Microsoft Office Recent Files

NTUSER.DAT\Software\Microsoft\Office\VERSION

ShellBags

USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bag
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

ShimCache

SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

AmCache

Amcache.hve\Root\File\<Volume GUID>\

BAM/DAM

SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>
SYSTEM\CurrentControlSet\Services\dam\UserSetitngs\<SID>

UserAssist

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count

Devices

SYSTEM\CurrentControlSet\Enum\USBSTOR
SYSTEM\CurrentControlSet\Enum\USB
SOFTWARE\Microsoft\Windows Portable Devices\Devices

References

TryHackMe

PreviousWeb Basic Pentesting NextOneDrive Logs

Last updated 24 days ago

hashtagSystem Information

hashtagIP Address & MAC Address

hashtagNetwork Cards

hashtagPowerShell History

hashtagMalware History

hashtagEvent Logs

hashtagEvent Viewer

hashtagPowerShell

hashtagProcesses

hashtagProcess Monitor

hashtagRegistry Hives

hashtagRegistry Editor

hashtagFile Locations

hashtagAcquire Registry Data

hashtagGather Information From Registry Hives

hashtagOS Version

hashtagCurrent Control Set

hashtagComputer Name

hashtagTime Zone

hashtagNetwork

hashtagSAM Hive & User Information

hashtagRecent Files

hashtagMicrosoft Office Recent Files

hashtagShellBags

hashtagShimCache

hashtagAmCache

hashtagBAM/DAM

hashtagUserAssist

hashtagDevices

hashtagReferences