System, Users and Network Information

Key Registry Artifacts for Forensic Analysis

The Windows Registry contains critical artifacts that can provide invaluable insights during forensic investigations. Below is a detailed breakdown of essential registry hives, key paths, and their forensic applications.

1. User Information

Registry Hive: SAM

Key Path:

SAM\Domains\Account\Users

Details:

  • Active Users: Lists all currently active user accounts on the system.

  • Deleted Accounts: Tracks previously deleted accounts, which could indicate attacker activity.

  • Names Subkey: Links usernames with their corresponding SIDs.

Use Case:

  • Identify Unauthorized Users: Detect accounts created by attackers to maintain persistence.

  • Track Deleted Accounts: Investigate potential insider threats or compromised accounts that were deleted to cover tracks.

2. System Information

Registry Hives: SYSTEM and SOFTWARE

Key Paths:

Control Sets:

  • SYSTEM\ControlSet001 (Current configuration)

  • SYSTEM\ControlSet002 (Last known good configuration)

  • SYSTEM\CurrentControlSet (Live configuration visible in Regedit)

Operating System Details:

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion

Details:

  • Control Sets: Compare configurations across different control sets to troubleshoot system failures or analyze configuration changes.

  • OS Information: Provides details such as OS version, build number, and system architecture.

Use Case:

  • Troubleshooting Failures: Compare configurations to understand what might have caused system failures or misconfigurations.

  • Vulnerability Assessment: Determine the OS version and architecture to identify potential vulnerabilities or targeted exploits.

3. Network Information

Registry Hives: SYSTEM and SOFTWARE

Key Paths:

Network Connections:

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList

    • Tracks connected networks:

      • SSID

      • Connection Type

      • First/Last Connection Timestamps

      • Router MAC Address

Open Network Shares:

  • SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

    • Lists all shared folders accessible over the network.

TCP/IP Configuration and Interfaces:

  • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Details:

  • Network History: Provides insights into Wi-Fi networks the system has connected to.

  • Shared Folders: Identifies shared folders that might have been used for lateral movement or data exfiltration.

  • Network Configuration: Retrieves IP addresses, DNS configurations, and active interfaces.

Use Case:

  • Unauthorized Connections: Track connections to suspicious or unauthorized networks.

  • Lateral Movement Analysis: Investigate shared resources that might have been exploited by attackers.

  • Network Misconfigurations: Review current network settings to identify vulnerabilities or improperly secured interfaces.

Practical Forensic Applications

These registry artifacts can help investigators:

  • Trace Unauthorized Users: Pinpoint unauthorized accounts or deleted profiles indicative of malicious activity.

  • Analyze Network Connectivity: Investigate whether the system connected to known malicious networks or rogue access points.

  • Investigate Lateral Movement: Examine shared folders and network activity logs for evidence of data exfiltration or attacker movement.

  • Identify Misconfigurations: Spot vulnerabilities in system or network settings that could have been exploited.

Next Steps

In the next lessons, we'll explore using tools like Registry Explorer and RegRipper to automate the analysis of these key registry artifacts, streamlining the forensic investigation process.

PreviousRegedit and Registry ExplorerNextShellbags

Last updated