Tryhackme - Windows Forensics 1

Tryhackme – Windows Forensics 1

In this walk through, we will be going through the Windows Forensics 1 room from Tryhackme. This room is rated as Medium on the platform and is developed to introduce us with Windows Registry Forensics. So, let’s get started without any delay.

Tryhackme - Windows Forensics 1

Task 1 – Introduction to Windows Forensics

Question 1 – What is the most used Desktop Operating System right now?

Microsoft Windows

Tryhackme - Windows Forensics 1

Task 2 – Windows Registry and Forensics

Question 1 – What is the short form for HKEY_LOCAL_MACHINE?

HKLM

Tryhackme - Windows Forensics 1

Task 3 – Accessing registry hives offline

Question 1 – What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?

C:\Windows\System32\Config

Question 2 – What is the path for the AmCache hive?

C:\Windows\AppCompat\Programs\Amcache.hve

Tryhackme - Windows Forensics 1

Task 4 – Data Acquisition

Question 1 – Try collecting data on your own system or the attached VM using one of the above mentioned tools

Done

Tryhackme - Windows Forensics 1

Task 5 – Exploring Windows Registry

Question 1 – Study the above material to understand the difference between the different tools

Done

Tryhackme - Windows Forensics 1

Task 6 – System Information and System Accounts

Question 1 – What is the Current Build Number of the machine whose data is being investigated?

19044

Question 2 – Which ControlSet contains the last known good configuration?

 1

Question 3 – What is the Computer Name of the computer?

THM-4N6

Question 4 – What is the value of the TimeZoneKeyName?

Pakistan Standard Time

Question 5 – What is the DHCP IP address

192.168.100.58

Question 6 – What is the RID of the Guest User account?

501

Tryhackme - Windows Forensics 1

Task 7 – Usage or knowledge of files/folders

Question 1 – When was EZtools opened?

2021-12-01 13:00:34

Question 2 – At what time was My Computer last interacted with?

2021-12-01 13:06:47

Question 3 – What is the Absolute Path of the file opened using notepad.exe?

C:\Program Files\Amazon\EC2ConfigService\Settings

Question 4 – When was this file opened?

2021-11-30 10:56:19

Tryhackme - Windows Forensics 1

Task 8 – Evidence of Execution

Question 1 – How many times was the File Explorer launched?

26

Question 2 – What is another name for ShimCache?

AppCompatCache

Question 3 – Which of the artifacts also saves SHA1 hashes of the executed programs?

AmCache

Question 4 – Which of the artifacts saves the full path of the executed programs?

BAM/DAM

Tryhackme - Windows Forensics 1

Task 9 – External Devices/USB device forensics

Question 1 – What is the serial number of the device from the manufacturer ‘Kingston’?

1C6F654E59A3B0C179D366AE&0

Question 2 – What is the name of this device?

Kingston DataTraveler 2.0 USB Device

Question 3 – What is the friendly name of the device from the manufacturer ‘Kingston’?

USB

Tryhackme - Windows Forensics 1

Task 10 – Hands-on Challenge

Question 1 – How many user created accounts are present on the system?

Tryhackme - Windows Forensics 1

Tryhackme - Windows Forensics 1

3

Question 2 – How many user created accounts are present on the system?

Tryhackme - Windows Forensics 1

thm-user2

Question 3 – What’s the password hint for the user THM-4n6?

Tryhackme - Windows Forensics 1

count

Question 4 – When was the file ‘Changelog.txt’ accessed?

Tryhackme - Windows Forensics 1

Tryhackme - Windows Forensics 1

2021-11-24 18:18:48

Question 5 – What is the complete path from where the python 3.8.2 installer was run?

Tryhackme - Windows Forensics 1

Z:\setups\python-3.8.2.exe

Question 6 – When was the USB device with the friendly name ‘USB’ last connected?

Tryhackme - Windows Forensics 1

2021-11-24 18:40:06

Task 11 – Conclusion

Tryhackme - Windows Forensics 1

Also Read: Tryhackme – Wgel CTF

So that was “Windows Forensics 1” for you. We have learned about the fundamentals of the Windows Registry Forensics. We started with the basics of Windows Registry and Forensics. Then we access registry hives offline. Post that we perform Data acquisition, and explored Windows registry. Further, we looked into system information/accounts and explored files, folders and some attached devices. At last, we solved an hands-on challenge and completed the room. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top