You are currently viewing Windows Forensic 1 Investigation

Windows Forensic 1 Investigation

TryHackMe | Windows Forensics 1
  • Scenario – One of the Desktops in the research lab at Organization X is suspected to have been accessed by someone unauthorized. Although they generally have only one user account per Desktop, there were multiple user accounts observed on this system. It is also suspected that the system was connected to some network drive, and a USB device was connected to the system. The triage data from the system was collected and placed on the attached VM. Can you help Organization X with finding answers to the below questions? Note: When loading registry hives in RegistryExplorer, it will caution us that the hives are dirty. This is nothing to be afraid of. We just need to remember the little lesson about transaction logs and point RegistryExplorer to the .LOG1 and .LOG2 files with the same filename as the registry hive. It will automatically integrate the transaction logs and create a ‘clean’ hive. Once we tell RegistryExplorer where to save the clean hive, we can use that for our analysis and we won’t need to load the dirty hives anymore. RegistryExplorer will guide you through this process.

    • [ ] 1- How many user created accounts are present on the system? 3 Step1, Open Registry Explorer and Load the SAM Hives (including any .LOG files) from there we can go to the USERS Key and look at the Users in the system. Keep in mind that USER IDs (RID) that start with 10xx are users created by a User, not default accounts such as Admin account

  • What is rid Microsoft? When a DC creates a security principal object such as a user or group, it attaches a unique SID to the object. This SID consists of a domain SID (the same for all SIDs created in a domain) and a relative ID (RID) that is unique for each security principal SID created in a domain.[ ] 2- What is the username of the account that has never been logged in? thm-user2 Using the same information gathered before, from the column Total Login Account = 0 , we can deduce that thm-user 2 had never logged in before.[ ] 3- What’s the password hint for the user THM-4n6? count from the same info previously gathered

  • [ ] 4- When was the file ‘Changelog.txt’ accessed? 2021-11-24 18:18:48 Usage or knowledge of files/folders We will be using Recent Opened Files (Recent Files) from the NTUSER hive

  • [ ] 5- What is the complete path from where the python 3.8.2 installer was run?
Z:\setups\python-3.8.2.exe

there are currently two users that have a key value in programs installed value.

  • [ ] 6- When was the USB device with the friendly name ‘USB’ last connected? 2021-11-24 18:40:06 Using the Registry explorer with the SYSTEM HIVE SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\#### 0066 – last connection