Forensics
De WikiMar
Introduction to Windows Forensics:
https://www.youtube.com/watch?v=VYROU-ZwZX8
SANS DFIR Cheat Sheet
Author: 13Cubed
Original from: https://www.13cubed.com/downloads/dfir_cheat_sheet.pdf
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
• \ComDlg32
o \LastVistedPidlMRU
o \OpenSavePidlMRU
• \RecentDocs
• \RunMRU
• \TypedPaths
• \UserAssist
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\Shell < Shellbags
• \BagMRU
• \Bags
HKCU\SOFTWARE\Classes
• Insert %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR < Class ID / Serial #
HKLM\SYSTEM\CurrentControlSet\Enum\USB < VID / PID
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
• Find Serial # and then look for FriendlyName to obtain the Volume Name of the USB device
HKLM\SYSTEM\MountedDevices
• Find Serial # to obtain the Drive Letter of the USB device
• Find Serial # to obtain the Volume GUID of the USB device
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
• Key will ONLY be present if system drive is NOT SSD
• Traditionally used for ReadyBoost
• Find Serial # to obtain the Volume Serial Number of the USB device
o The Volume Serial Number will be in decimal – convert to hex
o You can find complete history of Volume Serial Numbers here, even if the device has been
formatted multiple times. The USB device’s Serial # will appear multiple times, each with a
different Volume Serial Number generated on each format.
Using the Volume GUID found in SYSTEM\MountedDevices, you can find the user that actually mounted
the USB device:
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2
USB Times:
• First time device is connected
• Last time device is connected
• Removal time
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial
#\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\####
• 0064 = First Install (Win7 / 8)
o Also found in setupapi.log / setupapi.dev.log
• 0066 = Last Connected (Win8+ only)
o Also \Enum\USB\VID_XXXX&PID_YYYY last write time of USB Serial # key
o Also \MountPoints2\{GUID} last write time of key
• 0067 = Last Removal (Win8+ only)
USB First Time Device Connected Logs:
XP: C:\Windows\setupapi.log
Vista+: C:\Windows\inf\setupapi.dev.log
Search for the device’s Serial # within these logs and you can discover the first time a device was plugged in
to a computer.
USBDeviceForensics is an application by WoanWare that can help automate all of these things.
Miscellaneous Info:
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares
• Display all open shares on a system
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
• Look for NtfsDisableLastAccessUpdate, which is set to 0x1 by default, which means that access
time stamps are turned OFF by default
HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces
• Display interfaces and their associated IP address configuration (record the interface GUID!)
Network Location Awareness (NLA) was included in Vista+, and aggregates the network information for a
PC and generates a GUID to identify each network (a “network profile”, if you will). The Windows Firewall
uses that information to apply firewall rules to the appropriate profile. You can find evidence of every
network a machine has connected to using NLA registry keys.
Check the last write time of a key to determine the last time a PC connected to a particular network.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
• \Signatures
o \Unmanaged (record DefaultGatewayMac, DnsSuffix, FirstNetwork (SSID), ProfileGuid)
o \Managed
• \Nla
o \Cache
• Profiles
Most info regarding NLA will be stored under the NetworkList key above, and also:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup
Network Type, and First / Last Connected Times (find using the ProfileGuid key harvested from
Signatures\Unmanaged):
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} à (XP only, use last write time of
the key to determine the last time the network was connected)
0x06 = Wired
0x17 = Broadband
0x47 = Wireless
You will also find DateCreated and DateLastConnected under this key. It’s 128-bit Windows System Time,
and is stored in UTC.
LNK File Analysis:
C:\username\AppData\Roaming\Microsoft\Windows\Recent
*Use TZWorks lp.exe utility!
Jump Lists (like LNK files on steroids):
C:\username\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\username\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
*Use TZWorks jmp.exe utility!
…remember, LNK files are actually embedded in the database structure in AutomaticDestinations
Prefetcher and SuperFetch:
• Prefetcher and SuperFetch are part of Windows' memory manager
• Prefetcher is the less capable version included in Windows XP
• Prefetcher was extended by SuperFetch and ReadyBoost in Windows Vista+
• ReadyBoot replaces Prefetcher for the boot process if > 700MB RAM
• Tries to make sure often-accessed data can be read from the fast RAM instead of slow HDD
• Can speed up boot and shorten amount of time to start programs
C:\Windows\Prefetch
filename-hash(xxxxxxxx).pf
Example: CALC.EXE-AC08706A.pf
The hash is a hash of the file’s path. In this example, CALC.EXE is located in C:\Windows\System32. If it
were copied to another location (like the Desktop) and executed, a new .pf file would be created reflecting a
hash of the new path.
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\PrefetchParameters
EnablePrefetcher Key:
0 = Disabled
1 = Application prefetching enabled
2 = Boot prefetching enabled (default on Windows 2003 only)
3 = Application and Boot prefetching enabled (default)
• Task Scheduler calls Windows Disk Defragmenter every three (3) days
• When idle, lists of files and directories referenced during boot process and application startups is
processed
• The processed result is stored in Layout.ini in the Prefetch directory, and is subsequently passed to
the Disk Defragmenter, instructing it to re-order those files into sequential positions on the physical
hard drive
