TryHackme Expediting Registry Analysis Write-Up

This Room involves acquiring live and cold system registry hives, using tools to analyze and parse the data in these hives, and addressing various questions about the system based on this analysis.

Task 1 Introduction

Learning Objectives

In this room, we will learn:

• How to acquire a live and cold system registry hive.
• The tools that can be used to analyse and parse the data in the registry hives.
• The kind of questions that can be answered by analysing a system’s registry.

Prerequisites

Before continuing, it is highly recommended that you complete the SOC Level 1 and SOC Level 2 paths, especially the following rooms:

• Windows Forensics 1
• KAPE

Task 2 Data Acquisition Considerations and the FTK imager

• To begin the investigation the registry data needs to be acquired
• The are multiple ways to acquire registry data from a system
• The most common ones will be discussed in this challenge

Difference between Live and Cold Acquisition

Live Acquisition

• A live acquisition is performed on a running system
• The windows OS is already loaded into the memory and the configurations are all in the memory
• In a live system the registry hives files are locked and cannot be copied without special tools
• But in a live system since the configuration is already loaded there is no need to analyze the registry to identify the active configuration of the system
• For example the CurrentControlSet key is already loaded, and we know which configuration is in use
• Live system registry data acquisition poses challenges due to tools leaving traces and potentially altering critical data. For instance, using FTK Imager can add entries to registry keys tracking program execution
• While live acquisition saves time compared to full disk imaging, it risks integrity and efficiency, especially in urgent scenarios like outbreaks

Cold Acquisition

• Cold data acquisition is performed when the system is offline / shut down
• Full disk image is taken with a write blocker in place to maintain integrity
• The disk image is hashed and copied for analysis
• This is done in order to prevent any modification on the original piece of evidence
• If needed that original evidence can be used to prove that there was no tampering done with the analysis
• The first step is to mount the disk image using an image mounting software to analyze the registry from a cold acquisition and extract the data from the mounted image
• Tools like FTK Imager and Autopsy facilitate both imaging and analysis.
• Eliminates the need for separate image mounting software.
• Cold acquisition is time-intensive due to multiple steps involved.
• Minimizes impact on the system under analysis as it’s conducted offline.
• Suitable for scenarios requiring data integrity assurance, such as court cases.

Step 1 — Loading the disk image from which the data will be extracted

Step 2 — Choosing Logical Drive in order to mount the drive from a live system

Step 3 — Selecting the C Drive

Step 4 — Selecting an Image File in the case of a Cold Acquisition

Task 5 — Selecting the disk image path

Task 6 — Using the Obtain Protected Files option to collect the registry data

• In a live system the registry data can be collected using “Obtain Protected Files” option in FTK Imager
• Registry files are locked and cannot be easily copied on a live system
• This option helps acquire locked and protected files which can be exported to a destined location
• The problem with the method is that it does not acquire all the registry hives
• For Example it fails to copy the Amcache hive, which will make us leave out important information about program execution
• As mentioned on the bottom left corner of the previous image this option exports files that facilitate a SAM attack
• This targets the SAM registry hive to exploit user credentials
• A better option or process to export the registry keys using FTK imager is by navigating to the desired location where the hives are located and exporting the files
• The files must be selected and then click the Export Files option to export the selected files to a location of choice

• In the above screenshot the registry hives, the transaction logs and the backup files that contain the changes that are still not written in the registry hives but have already been made are being copied
• These can contain essential pieces of information of the puzzle we want to extract which should be utilized when analyzing the registry
• In this task to get the necessary information the SAM, SYSTEM, SOFTWARE hives must be exported it is generally located in the C:\Windows\System32\config directory
• The FTK imager can be used to achieve this goal
• The most significant advantage of using FTK Imager to extract data is the specificity and granularity of the process. We can pick and choose the exact files we want to extract. However, this process generally requires precise knowledge and time to execute. Using tools to automate this process might be better in some scenarios

Task 2 Answers

Task 3 Data Acquisition Using KAPE

• KAPE is another that helps us to collect and process triage data quickly from a system
• KAPE is generally used on live systems however it can also be used on a disk image by mounting it and giving it the proper target location of the mounted disk image
• Any mounting software can be used to mount the disk image and the rest of the process remains unchanged
• FTK imager can be used to mount images but running KAPE and FTK imager simultaneously might cause problems down the line therefore select the Ignore FTK warning checkbox to execute KAPE in that particular scenario

Step 1 — Starting the gpake.exe executable binary to launch the KAPE binary

Step 2 — Since data needs to be collected select the Use Target Options, This enables editing on the left side of the KAPE GUI

• Choose the source disk drive’s path in the Target Source option and specify the Target Destination path to store the collected triage data
• When collecting triage data from a disk image from a disk image select the disk drive where the disk image mounter had mounted the disk image
• In a live system the C drive can be chosen ( or the drive where the OS is stored if it is not stored in the C drive )
• After selecting the target source destination choose one of the collection options
• For a comprehensive triage package considering the most useful artefacts choose the KapeTriage
• If the only data needed is the registry data use the search option to search for and choose one of the registry triage collections
• Kindly remember to uncheck the Flush checkbox if the intention is not to overwrite the data in the destination folder

• After selecting the triage package to be collected the Current Command Line tab will be visible at the bottom
• This command line can be used to collect triage data
• This command line can also be used to collect triage data remotely as part of a script
• The container option can be selected for the collected data to make a single file such as a VHDX or VHD file and select the transfer option to upload it to a remote location
• Then click Execute at the bottom right corner this will prompt a visible command line screen that will show the progress of the process

After completing Press any key to exit

• KAPE makes the triage collection process much scalable and automated and has the ability to be replicated against the whole enterprise
• Whereas FTK imager can only extract some artefacts
• The other advantage of using KAPE is that it retains the directory structure and metadata of the original files in the destination which makes the forensic process more accurate
• After the complete collection the target destination will look like the screenshot below, all the collected files will be in the same directory structure in the C drive of the system
• The other files are the logs files that can be sued to troubleshoot if there is any issue with the KAPE collection

Automated Collection Using Batch Mode

1. Create a _kape.cli file with the following command:

--tsource C: --tdest C:\\Users\\THM-4n6\\Desktop\\triage --target RegistryHives --scs 192.168.23.1 --scp 22 --scu thm-4n6 --scpw 123 --vhdx reg

1. Save the _kape.cli file in the same directory as kape.exe.
2. Share the entire package with the system administration team or asset owners.
3. They can execute kape.exe with administrator privileges to collect the registry data automatically.
4. KAPE will upload the collected forensic artifacts to the provided destination (192.168.23.1) using SCP.

Task 3 Answers

Task 4 Registry Analysis Using EZTools

• Registry Explorer is a GUI based tool that can be used to explore registry hives
• It has significant features such as integrating transaction logs and quick find bookmarks for essential registry keys and values
• In the attached VM, the Registry Explorer GUI can be found on the Desktop under EZTools\\RegistryExplorer\\RegistryExplorer.exe

• A new registry hive can be loaded by selecting the File > Load hive option
• Multiple hives can be loaded at once in the registry explorer
• Registry explorer will be used to identify system information in this task
• The registry data was previously collected with the help of tools like KAPE
• KAPE retains the directory structure in its collected data from the previous tasks therefore the registry hives will be present in the same location as it is found in a windows OS machine
• SYSTEM hive is located in the C:\Windows\System32\config directory

When we load a new registry hive, and the data from the transaction logs has not already been added, it asks the user if they want to add this data.

If we click Yes, Registry Explorer will ask us to select the transaction logs we want to incorporate. We must choose the same transaction logs as the hive we are trying to incorporate them into. For example, we will select SYSTEM.LOG1, SYSTEM.LOG2 when integrating into the SYSTEM hive.

Once we select the logs, we must choose where the updated/clean hive will be saved. It will have the default name HIVE_clean.

Once the data from transaction logs is added to the hive, the user is asked to reload it. Once reloaded, we can add the ‘clean’ hive with the transaction log data.

After selecting “Yes,” we’re prompted to load the dirty hive. However, for now, we opted to proceed with just the clean hive. The “Available bookmarks” tab at the top displays crucial registry keys and values from all loaded hives. This tab provides quick access to key forensic data for rapid analysis. Check out the screenshot below for reference, where the tab is indicated by an arrow.

RECmd

• RECmd is a command line utility that can be used to search and extract data from the registry hives
• This is the command line version of the Registry Explorer tool and can also add transaction logs to registry hives
• It also has the capability to save the output in CSV format giving way for easier analysis

Using the help command to

The following command line shows RECmd being used to get specific key details.

• Using a batch file to extract registry data
• Create a file named batch.yaml and add this configuration

Description: RECmd Batch File Template
Author: Andrew Rathbun
Version: 1.0
Id: 9bc106b8-efd0-44bb-b2a7-cbfddd99b2bb
Keys:
    -
        Description: Shutdown Time
        HiveType: SYSTEM
        Category: System Info
        KeyPath: ControlSet00*\Control\Windows
        ValueName: ShutdownTime
        Recursive: false
        IncludeBinary: true
        BinaryConvert: FILETIME
        Comment: "Last system shutdown time"
    -
        Description: System Info (Current)
        HiveType: SOFTWARE
        Category: System Info
        KeyPath: Microsoft\Windows NT\CurrentVersion
        ValueName: InstallTime
        IncludeBinary: true
        BinaryConvert: FILETIME
        Recursive: false
        Comment: "Current OS install time"
    -
        Description: System Info (Current)
        HiveType: SOFTWARE
        Category: System Info
        KeyPath: Microsoft\Windows NT\CurrentVersion
        ValueName: InstallDate
        IncludeBinary: true
        BinaryConvert: EPOCH
        Recursive: false
        Comment: "Current OS install date"
    -
        Description: Virtual Memory Pagefile Encryption Status
        HiveType: SYSTEM
        Category: System Info
        KeyPath: ControlSet*\Control\FileSystem
        ValueName: NtfsEncryptPagingFile
        Recursive: false
        Comment: "Virtual Memory Pagefile Encryption, 0 = Disabled, 1 = Enabled"
    -
        Description: MountPoints2
        HiveType: NTUSER
        Category: Devices
        KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
        Recursive: true
        Comment: "Mount Points - NTUSER"

Task 4 Answers

Task 5 RegRipper

• Opening and analyzing individual registry keys is a very time taking task
• RegRipper is very useful in this situation and helps to aggregate information from different registry hives
• RegRipper works as a collection of plugins
• These plugins read the reads the registry give and can extract the data they are configured to extract and store it into a document
• Custom plugins can be created to parse data for personal needs
• rr.exe is the RegRipper UI and the rip.exe is the command line utility that will run individual plugins

Creating a report by ripping the SAM file that has been extracted using KAPE

Analyzing the report file

Users in the administrators group — Username : suspicious [1009], Username : 4n6lab [1008], Administrator [500]

Task 5 Answers

Task 6 Speeding up the analysis using KAPE and EZTools

Complete Forensic Package Acquisition and Processing

What is EZparser?

EZparser is designed to process a wide array of forensic artifacts from Windows systems, such as the Master File Table (MFT), Prefetch files, and Windows registry hives, among others. These tools allow forensic analysts to extract, parse, and analyze data quickly and accurately, producing outputs in formats like CSV, which are easy to review and interpret.

EZviewer can be used to view the CSV files generated on this machine since it does not have Excel installed on it

1. The process is similar to acquiring the registry hives data in the previous tasks but just choose Kape Triage Collection method
2. This collection method acquires all the critical forensic artefacts from a windows machine such as MFT, Prefetch, registry etc
3. Then this can be used as the target for the EZparser module that will convert the collected data into very clear and easily readable csv files that will ease up the analysis process
4. Upon executing KAPE, we will obtain parsed results from key forensic artifacts on a Windows machine, organized into files and directories named according to the information they contain. For collaborative efforts during an incident, KAPE’s batch mode allows other team members to assist with the same task.
5. This approach is highly effective for rapid triage of multiple machines, enabling quick and efficient analysis to contain an outbreak or similar situation.

Note — Kape will automatically use the target source option as the module source option, so the field can be left empty

Using Kape To Extract Data

Task 6 Answers

Task 7 Practical Challenge

Step 1 — Collecting Data Using Kape

VPN Found in the Known Networks CSV File

Other User That Is A Member Of The Administrator Group Found In The User Accounts SAM CSV File

Step 2 — Using Kape To Acquire Registry Hives To Demonstrate Reg Explorer’s Use

Step 3 — Open Registry Explorer & Load The Newly Extracted HIVE To Find The Information Regarding The OS Registration & Computer Name

Info Regarding The Computer Name Can Be Found In This Location — Computer Name: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

Task 7 Answers

Task 8 Conclusion

That’s a wrap for this room. Rounding it all up, we have learned:

• Different tools to acquire forensic registry data.
• Different tools that can be used to process collected registry data.
• Leveraging these tools to speed up the analysis process.
• Using our learnings from the Registry Forensics cheat sheet to answer different questions during an incident.