In this walk through, we will be going through the Windows Forensics 1 room from Tryhackme. This room is rated as Medium on the platform and is developed to introduce us with Windows Registry Forensics. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction to Windows Forensics
Question 1 – What is the most used Desktop Operating System right now?
Microsoft Windows
Task 2 – Windows Registry and Forensics
Question 1 – What is the short form for HKEY_LOCAL_MACHINE?
HKLM
Task 3 – Accessing registry hives offline
Question 1 – What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?
C:\Windows\System32\Config
Question 2 – What is the path for the AmCache hive?
C:\Windows\AppCompat\Programs\Amcache.hve
Task 4 – Data Acquisition
Question 1 – Try collecting data on your own system or the attached VM using one of the above mentioned tools
Done
Task 5 – Exploring Windows Registry
Question 1 – Study the above material to understand the difference between the different tools
Done
Task 6 – System Information and System Accounts
Question 1 – What is the Current Build Number of the machine whose data is being investigated?
19044
Question 2 – Which ControlSet contains the last known good configuration?
1
Question 3 – What is the Computer Name of the computer?
THM-4N6
Question 4 – What is the value of the TimeZoneKeyName?
Pakistan Standard Time
Question 5 – What is the DHCP IP address
192.168.100.58
Question 6 – What is the RID of the Guest User account?
501
Task 7 – Usage or knowledge of files/folders
Question 1 – When was EZtools opened?
2021-12-01 13:00:34
Question 2 – At what time was My Computer last interacted with?
2021-12-01 13:06:47
Question 3 – What is the Absolute Path of the file opened using notepad.exe?
C:\Program Files\Amazon\EC2ConfigService\Settings
Question 4 – When was this file opened?
2021-11-30 10:56:19
Task 8 – Evidence of Execution
Question 1 – How many times was the File Explorer launched?
26
Question 2 – What is another name for ShimCache?
AppCompatCache
Question 3 – Which of the artifacts also saves SHA1 hashes of the executed programs?
AmCache
Question 4 – Which of the artifacts saves the full path of the executed programs?
BAM/DAM
Task 9 – External Devices/USB device forensics
Question 1 – What is the serial number of the device from the manufacturer ‘Kingston’?
1C6F654E59A3B0C179D366AE&0
Question 2 – What is the name of this device?
Kingston DataTraveler 2.0 USB Device
Question 3 – What is the friendly name of the device from the manufacturer ‘Kingston’?
USB
Task 10 – Hands-on Challenge
Question 1 – How many user created accounts are present on the system?
3
Question 2 – How many user created accounts are present on the system?
thm-user2
Question 3 – What’s the password hint for the user THM-4n6?
count
Question 4 – When was the file ‘Changelog.txt’ accessed?
2021-11-24 18:18:48
Question 5 – What is the complete path from where the python 3.8.2 installer was run?
Z:\setups\python-3.8.2.exe
Question 6 – When was the USB device with the friendly name ‘USB’ last connected?
2021-11-24 18:40:06
Task 11 – Conclusion
Also Read: Tryhackme – Wgel CTF
So that was “Windows Forensics 1” for you. We have learned about the fundamentals of the Windows Registry Forensics. We started with the basics of Windows Registry and Forensics. Then we access registry hives offline. Post that we perform Data acquisition, and explored Windows registry. Further, we looked into system information/accounts and explored files, folders and some attached devices. At last, we solved an hands-on challenge and completed the room. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.