Expediting Registry Analysis

In Windows Forensics 1, we learned about where we can find the registry hives and the different artefacts present in these hives. In this room, we will build on that information and learn more about data acquisition and analysis, as during an incident. Therefore, we will not discuss the different artefacts, the information on those artefacts, and where to find them. Instead, we will focus on leveraging the knowledge of these artefacts to perform incident analysis.

Learning Objectives

In this room, we will learn:

• How to acquire a live and cold system registry hive.
• The tools that can be used to analyse and parse the data in the registry hives.
• The kind of questions that can be answered by analysing a system's registry.

Prerequisites

Before continuing, it is highly recommended that you complete the SOC Level 1 and SOC Level 2 paths, especially the following rooms:

• Windows Forensics 1
• KAPE

Room VM

Before moving forward, start the lab by clicking the Start Machine button. It will take 3-5 minutes to load properly. The VM will be accessible on the right side of the split screen. If the VM is not visible, use the blue Show Split View button at the top of the page. Additionally, we will provide you with RDP credentials that you may use if you prefer to connect from your own VPN connected machine.

Scenario

Anna, the IR lead at Deer Inc., is investigating suspicious activity on one of the systems. She had been tipped off due to a new user creation activity on the machine. For further analysis, she decided to pull the registry data from the system to answer some questions and identify the scope of the incident. Let's help Anna verify the following information by analysing the attached VM:

• Information that can be used to identify the system.
• User accounts on the system, as well as any suspicious user account.
• Any password resets or wrong password inputs.
• Networks that the system connected to in the past.