CTFs/TryHackMe

Windows Forensics 1 | TryHackMe

Akash Kumar 2022. 1. 16. 19:48

 

Windows Forensics 1

 
 
 
 

 

 

 

 

 

 


Introduction to Computer Forensics for Windows:

Computer forensics is an essential field of cyber security that involves gathering evidence of activities performed on computers. It is a part of the wider Digital Forensics field, which deals with forensic analysis of all types of digital devices, including recovering, examining, and analyzing data found in digital devices. The applications of digital and computer forensics are wide-ranging, from the legal sphere, where it is used to support or refute a hypothesis in a civil or criminal case, to the private sphere, where it helps in internal corporate investigations and incident and intrusion analysis.

 

 

 

Forensic Artifacts:

When performing forensic analysis, you will often hear the word 'artifact'. Forensic artifacts are essential pieces of information that provide evidence of human activity. For example, during the investigation of a crime scene, fingerprints, a broken button of a shirt or coat, the tools used to perform the crime are all considered forensic artifacts. All of these artifacts are combined to recreate the story of how the crime was committed. 

In computer forensics, forensic artifacts can be small footprints of activity left on the computer system. On a Windows system, a person's actions can be traced back quite accurately using computer forensics because of the various artifacts a Windows system creates for a given activity. These artifacts often reside in locations 'normal' users won't typically venture to. For our purposes, these artifacts can be analyzed to provide the trial of activity for an investigation.

 

 


Task 1  Introduction to Windows Forensics

Q) What is the most used Desktop Operating System right now?

A)  Microsoft Windows 

 

Q) What is the term used to define a piece of evidence of human activity?

A)  Artifact 

 


Task 2  Windows Registry and Forensics

Q) What is the short form for HKEY_LOCAL_MACHINE?

A)  HKLM 

 

Q) What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?

A)  C:\Windows\System32\Config 

 

Q) What is the path for the AmCache hive?

A)  C:\Windows\AppCompat\Programs\Amcache.hve 

 


Task 3  Exploring Windows Registry

No answer needed


Task 4  System Information and System Accounts

Q) What is the Current Build Number of the machine whose data is being investigated?

A)  19044 

Sol.) You can see in the pic below.

 

Q) Which ControlSet contains the last known good configuration?

A)  1 

 

Q) What is the Computer Name of the computer?

A)  THM-4n6 

Sol.) You can see in the pic below.

 

Q) What is the value of the TimeZoneKeyName?

A)  Pakistan Standard Time 

Sol.) You can see in the pic below.

Q) What is the RID of the Guest User account?

A)  501  

Sol.) You can see in the pic below.


Task 5  Usage or knowledge of files/folders

Q) When was EZtools opened?

A)  2021-12-01 13:00:34 

Sol.) You can see in the pic below.

Q) At what time was My Computer last interacted with?

A)  2021-12-01 13:06:47 

Sol.) You can see in the pic below.

 

Q) What is the Absolute Path of the file opened using notepad.exe?

A)  C:\Program Files\Amazon\Ec2ConfigService\Settings 

Sol.) You can see in the pic below.


Task 6  Evidence of Execution

Q) How many times was the File Explorer launched?

A)  26 

Sol.) You can see in the pic below.

 

Q) What is another name for ShimCache?

A)  AppCompatCache 

Sol.) You can see in the pic below.

 

Q) Which of the artifacts also saves SHA1 hashes of the executed programs?

A)  AmCache 

Sol.) You can see in the pic below.

Q) Which of the artifacts saves the full path of the executed programs?

A)  BAM/DAM 

Sol.) You can see in the pic below.


Task 7  External Devices/USB device forensics

Q) What is the serial number of the device from the manufacturer 'Kingston'?

A)  1C6f654E59A3B0C179D366AE&0 

Sol.) You can see in the pic below.

Q) What is the name of this device?

A)  Kingston Data Traveler 2.0 USB Device 

Sol.) You can see in the pic below.

Q) What is the friendly name of the device from the manufacturer 'Kingston'?

A)  USB 

Sol.) You can see in the pic below.


Task 8  Hands-on Challenge

Let's Rock :-)

 

Q) How many user created accounts are present on the system? 

A)  3 

Sol.) Fire up the machine, and You'll get some folders.

In the "EZtools" folder you'll get a RegistryExplorer tool, open it.

Now, Goto Files>Load Hives and load the SAM file (C:\Users\THM-4n6\Desktop\triage\C\Windows\System32\config\SAM) and goto "ROOT>SAM>Domains>Account>Users>Names".

Here, all green box users are Default users, and the red box users are Created.

 

 

Q) What is the username of the account that has never been logged in?

A)  thm-user2 

Sol.) As you know there are three users but in the user folder(C:\Users\THM-4n6\Desktop\triage\C\Users) there are only two folders ( THM-4n6 and thm-user). It's mean the "thm-user2" is never been logged in that's why Its user folder is not created.

OR

In the SAM hive, go to "ROOT>SAM>Domains>Account>Users" and you can see that the user "thm-user2" has no Last Login Time.

 

Q) What's the password hint for the user THM-4n6?

A)  count 

Sol.) In the previous hive, you can see the "THM-4n6" Password Hint.

Q) When was the file 'Changelog.txt' accessed?

A)  2021-11-21 18:18:48 

Sol.) Now, go to Files and Unload All Hives.

And load the NTUSER.DAT file(C:\Users\THM-4n6\Desktop\triage\C\Users\THM-4n6\NTUSER.DAT) and goto "ROOT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs".

 

Here, you can see the last open time.

Q) What is the complete path from where the python 3.8.2 installer was run? 

A)  Z:\setups\python-3.8.2.exe 

Sol.) Now, In the same hive goto "ROOT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" and here you can see the path.

Q) When was the USB device with the friendly name 'USB' last connected?

A)  Z:\setups\python-3.8.2.exe 

Sol.) Now, Unload All Hive and load the SYSTEM hive (C:\Users\THM-4n6\Desktop\triage\C\Windows\System32\config\SYSTEM) and goto "ROOT\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP\1C6F654E59A3B0C179D366AE&0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066".

 

Hold and drag these dots up,

And the Type Viewer will open and here you can see Its last connected time.


Task 9  Conclusion


 

Thanks for reading my write-up.