Disk Analysis Introduction

19KB

Analysis-Notes-Template.docx

Open

Windows Registry Analysis

Let's drop the registry hives into Registry Explorer.

Next, let's extract some system information from these registry hives using Registry Explorer and RegRipper.

System Information

Computername: Registry: HKLM\System\CurrentControlSet\Control\Computername\

Windows Version: Registry: HKLM\Software\Microsoft\Windows NT\Currentversion\

Let's use RegRipper, but first, copy the registry hives to a separate folder.

rip.exe -r c:\Cases\Analysis\Registry\SOFTWARE -p winver

Timezone: Registry: HKLM\System\CurrentControlSet\Control\TimeZoneInformation\

rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p timezone

Network Information: Registry: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interface-name}

rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p nic2

rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p networklist

Shutdown time: Registry: HKLM\System\ControlSet001\Control\Windows\ShutdownTime

rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p shutdown

Defender settings: Registry: HKLM\Software\Microsoft\Windows Defender\

rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p defender

Parsing registry hives in bulk with RegRipper

attrib *

The files UsrClass.dat and NTUSER.DAT are hidden. Let’s display them.

attrib -h NTUSER.DAT
attrib -h UsrClass.dat

Let's process each hive using RegRipper.

for /r %i in (*) do (c:\Tools\RegRipper3.0-master\rip.exe -r %i -a > %i.txt)

Let's open them in Notepad.

Let's use Ctrl + F to search for the shutdown time, then select "Find All in All Opened Document."