Skip to content

Windows Forensics

Windows Forensics is the method of gathering information about the target Windows system.

System Information

IP Address & MAC Address

Below are the location of the file which contains the information of IP address and MAC address.

# Look@LAN is a network monitoring tool. So if the system uses the tool, we can retrieve the information of the network.
# LANIP -> IP address
# LANNIC -> MAC address
c:\Program Files (x86)\Look@LAN\irunin.ini

Network Cards

The name of the network card is such like “Intel(R) PRO/1000 MT Desktop Adapter”.

c:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_1_2_3_45_67.etl

PowerShell History

Sometimes PowerShell command history contains the sensitive information about the system.

c:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Malware History

Suspicious activities are likely detected by Windows Defender.

c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\

Event Logs

Event Viewer

Below is the list of item worth noting.

  • Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
  • Applications and Services Logs/Microsoft/Windows/PrintService/Admin

In each item, we can find the desired list by specifying the keyword in the “Find” action in the right pane.

PowerShell

Also we can see event logs from a logfile in PowerShell.

Get-WinEvent -Path  .\Example.evtx -FilterXPath '*/System/*' | Sort-Object TimeCreated

Processes

Process Monitor

  • To get the parent PID of the specific process, click “Filter” icon and enter the process name (e.g. “spoolsv.exe”) then select “Include”, and click Apply. Right-click on the highlighted item and go to “Process” tab. We can see the parent PID.

Registry Hives

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

Registry Editor

We can find registry keys in the Registry Editor.

  1. Click on the Windows icon and select Run.
  2. Enter “regedit” in the input form. Registry Editor opens.

File Locations

Registry Hives are located in C:\Windows\System32\config.

  • DEFAULT (HKEY_USERS\DEFAULT in regedit)
  • SAM (HKEY_LOCAL_MACHINE\SAM in regedit)
  • SECURITY (HKEY_LOCAL_MACHINE\Security in regedit)
  • SOFTWARE (HKEY_LOCAL_MACHINE\Software in regedit)
  • SYSTEM (HKEY_LOCAL_MACHINE\System in regedit)

The other hives are located in user home directory (C:\Users\<username>)

  • NTUSER.DAT (HKEY_CURRENT_USER in regedit)

    It contains the information of the user account settings.
    It is located in C:\Users\<username> .

  • USRCLASS.DAT (HKEY_CURRENT_USER\Software\CLASSES)

    It stores the ShellBag information for the Desktop, ZIP files, remote folders, local folders, etc.
    It is located in C:\Users\<username>\AppData\Local\Microsoft\Windows .

Amcache Hive is located in C:\Windows\AppCompat\Programs\Amcache.hve .
It stores the information on programs that were recently run on the system.

Acquire Registry Data


Gather Information From Registry Hives

We can retrieve information using Registry Viewer or Registry Explorer.

OS Version

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion)

Current Control Set

  • SYSTEM\ControlSet001
  • SYSTEM\ControlSet002

Computer Name

  • SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

Time Zone

  • SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Network

  • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

SAM Hive & User Information

  • SAM\Domains\Account\Users

Recent Files

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explore\RecentDocs

Microsoft Office Recent Files

  • NTUSER.DAT\Software\Microsoft\Office\VERSION

ShellBags

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bag
  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

ShimCache

  • SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

AmCache

  • Amcache.hve\Root\File\<Volume GUID>\

BAM/DAM

  • SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>
  • SYSTEM\CurrentControlSet\Services\dam\UserSetitngs\<SID>

UserAssist

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count

Devices

  • SYSTEM\CurrentControlSet\Enum\USBSTOR
  • SYSTEM\CurrentControlSet\Enum\USB
  • SOFTWARE\Microsoft\Windows Portable Devices\Devices

References