# Windows Forensics Windows Forensics is the method of gathering information about the target Windows system. ### System Information #### IP Address & MAC Address Below are the location of the file which contains the information of IP address and MAC address. ```shellscript # Look@LAN is a network monitoring tool. So if the system uses the tool, we can retrieve the information of the network. # LANIP -> IP address # LANNIC -> MAC address c:\Program Files (x86)\Look@LAN\irunin.ini ``` #### Network Cards The name of the network card is such like “Intel(R) PRO/1000 MT Desktop Adapter”. ```shellscript c:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_1_2_3_45_67.etl ``` #### PowerShell History Sometimes PowerShell command history contains the sensitive information about the system. ```shellscript c:\Users\\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` #### Malware History Suspicious activities are likely detected by Windows Defender. ```shellscript c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\ ``` ### Event Logs #### Event Viewer Below is the list of item worth noting. * **`Applications and Services Logs/Microsoft/Windows/Sysmon/Operational`** * **`Applications and Services Logs/Microsoft/Windows/PrintService/Admin`** In each item, we can find the desired list by specifying the keyword in the “Find” action in the right pane. #### PowerShell Also we can see event logs from a logfile in PowerShell. ``` Get-WinEvent -Path .\Example.evtx -FilterXPath '*/System/*' | Sort-Object TimeCreated ``` ### Processes #### Process Monitor * To get the parent PID of the specific process, click **“Filter”** icon and enter the process name (e.g. “spoolsv.exe”) then select **“Include”**, and click Apply. Right-click on the highlighted item and go to **“Process”** tab. We can see the parent PID. ### Registry Hives A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in. #### Registry Editor We can find registry keys in the Registry Editor. 1. Click on the Windows icon and select Run. 2. Enter “regedit” in the input form. Registry Editor opens. #### File Locations **Registry Hives** are located in C:\Windows\System32\config. * **DEFAULT (HKEY\_USERS\DEFAULT in regedit)** * **SAM (HKEY\_LOCAL\_MACHINE\SAM in regedit)** * **SECURITY (HKEY\_LOCAL\_MACHINE\Security in regedit)** * **SOFTWARE (HKEY\_LOCAL\_MACHINE\Software in regedit)** * **SYSTEM (HKEY\_LOCAL\_MACHINE\System in regedit)** The other hives are located in user home directory (C:\Users\\\) * **NTUSER.DAT (HKEY\_CURRENT\_USER in regedit)** It contains the information of the user account settings.\ It is located in **C:\Users\\\** . * **USRCLASS.DAT (HKEY\_CURRENT\_USER\Software\CLASSES)** It stores the ShellBag information for the Desktop, ZIP files, remote folders, local folders, etc.\ It is located in **C:\Users\\\\AppData\Local\Microsoft\Windows** . **Amcache Hive** is located in **C:\Windows\AppCompat\Programs\Amcache.hve** .\ It stores the information on programs that were recently run on the system. ### Acquire Registry Data * **KAPE** * [**Autopsy**](https://www.autopsy.com/) * [**FTK Imager**](https://www.exterro.com/ftk-imager)
### Gather Information From Registry Hives We can retrieve information using [Registry Viewer](https://accessdata.com/product-download/registry-viewer-2-0-0) or [Registry Explorer](https://ericzimmerman.github.io/#!index.md). #### OS Version * SOFTWARE\Microsoft\Windows NT\CurrentVersion) #### Current Control Set * SYSTEM\ControlSet001 * SYSTEM\ControlSet002 #### Computer Name * SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName #### Time Zone * SYSTEM\CurrentControlSet\Control\TimeZoneInformation #### Network * SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces #### SAM Hive & User Information * SAM\Domains\Account\Users #### Recent Files * NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explore\RecentDocs #### Microsoft Office Recent Files * NTUSER.DAT\Software\Microsoft\Office\VERSION #### ShellBags * USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bag * USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU * NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU * NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags #### ShimCache * SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache #### AmCache * Amcache.hve\Root\File\\\\\ #### BAM/DAM * SYSTEM\CurrentControlSet\Services\bam\UserSettings\\\ * SYSTEM\CurrentControlSet\Services\dam\UserSetitngs\\\ #### UserAssist * NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\\\\Count #### Devices * SYSTEM\CurrentControlSet\Enum\USBSTOR * SYSTEM\CurrentControlSet\Enum\USB * SOFTWARE\Microsoft\Windows Portable Devices\Devices ### References * [TryHackMe](https://tryhackme.com/room/windowsforensics1)