TryHackMe: Windows Forensics 1 — Detailed Write-Up
Windows is one of the most widely used operating systems, so it’s likely that a significant portion of digital evidence in cybercrime cases will involve Windows systems. Understanding Windows forensics enables professionals to recover, preserve, and analyze critical digital evidence, which can be used in legal proceedings.
Link to the THM rom: https://tryhackme.com/room/windowsforensics1
Task 2: Windows Registry and Forensics
What is the short form for HKEY_LOCAL_MACHINE?
HKLM
Task 3: Accessing registry hives offline
What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?
C:\Windows\System32\Config
What is the path for the AmCache hive?
C:\Windows\AppCompat\Programs\Amcache.hve
Task 6: System Information and System Accounts
What is the Current Build Number of the machine whose data is being investigated?
19044
Which ControlSet contains the last known good configuration?
1
What is the Computer Name of the computer?
THM-4n6
What is the value of the TimeZoneKeyName?
Pakistan Standard Time
What is the DHCP IP address
192.168.100.58
What is the RID of the Guest User account?
501
Task 7: Usage or Knowledge of Files/Folders
When was EZtools opened?
2021–12–01 13:00:34
At what time was My Computer last interacted with?
2021–12–01 13:06:47
What is the Absolute Path of the file opened using notepad.exe?
C:\Program Files\Amazon\Ec2ConfigService\Settings
When was this file opened?
2021–11–30 10:56:19
Task 8: Evidence of Execution
How many times was the File Explorer launched?
26
What is another name for ShimCache?
AppCompatCache
Which of the artifacts also saves SHA1 hashes of the executed programs?
AmCache
Which of the artifacts saves the full path of the executed programs?
BAM/DAM
Task 9: External Devices/USB device forensics
What is the serial number of the device from the manufacturer ‘Kingston’?
1C6F654E59A3B0C179D366AE&
What is the name of this device?
Kingston Data Traveler 2.0 USB Device
What is the friendly name of the device from the manufacturer ‘Kingston’?
USB
Task 10: Hands-on Challenge
To tackle this challenge, let’s begin by running the RegistryExplorer (in the “triage” folder) as administrator. Once it’s open, we need to load hives in the . Given the nature of the challenge questions, it is sufficient to only load SAM, SOFTWARE and SYSTEM in the C:\Windows\System32\Config directory. Note that when you attempt to load the SOFTWARE and SYSTEM hives, there might be a pop-up windows about “Dirty hive detected”. You can choose “no” to “replay transaction logs against this hive” and choose “yes” to “load the dirty hive”. After that, you may encounter some red warning signs and texts and please don’t panic (it’s okay).
Given the first three challenge questions are about user accounts. Let’s investigate the Windows Security Accounts Manager (SAM) file. The “SAM” in the Windows Registry is a crucial component of the Windows operating system responsible for managing user account information, including usernames and password hashes.
How many user created accounts are present on the system?
3
What is the username of the account that has never been logged in?
thm-user2
What’s the password hint for the user THM-4n6?
count
Moving to the next challenge question, it’s about execution of a text file (.txt). When it comes to evidence of execution, we shall look no further but NTUSER.DAT (in task 8). To locate NTUSER.DAT, we can look into the C:\Users\<username>\ directory.
It’s important to note that making changes directly to the NTUSER.DAT file can be risky and is generally not recommended, as it can lead to corruption or issues with the user's profile. Therefore, in default setting, NTUSER.DAT is a hidden file and in order to access it for this task, we must unhide it in the File Explorer.
We then come back to the Registry Explorer and load the NTUSER.DAT hive.
After NTUSER.DAT is loaded, we can look into recent files by following this path “NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs”.
When was the file ‘Changelog.txt’ accessed?
2021–11–24 18:18:48
When you look under the NTUSER.DAT hive, we have many options to investigate recent execution of files, including UserAssist, ShimCache, AmCache, BAM/DAM. — -UserAssist is a component that records the usage of applications by individual users. It stores information about which applications a user has run and how frequently they have been used. ShimCache, or Application Compatibility Cache, is used to improve the compatibility of older applications with newer Windows versions. It records information about executed applications and their associated DLLs. AmCache is another component related to application compatibility. It records data about installed applications, their versions, and their execution history. BAM and DAM are related to the management of applications and devices on Windows systems, particularly in Windows 8 and later versions. BAM records information about applications that use background tasks, while DAM records information about device applications. Given the descriptions of these components, we can start with UserAssist.
Looks like UserAssist is a dead-end, and if you try ShimCache, AmCache, BAM/DAM, unfortunately you won’t be able to find anything useful either. Time to be a bit innovative. Since Python is an application, let’s see if we have any luck search the keyword “Apps” in the search bar. This field titled “RecentApps” seems interesting, and turns out that it is indeed a place where we can locate information about the python 3.8.2 installer.
What is the complete path from where the python 3.8.2 installer was run?
Z:\setups\python-3.8.2.exe
When it comes to any USB or removable drives that were attached to the machine, we should no further than the SYSTEM and the SOFTWARE hives. Specifically, since we are given the name of the device (friendly name is USB), we can start with the SOFTWARE\Microsoft\Windows Portable Devices\Devices directory.
So we are able to find the Guid no. of the device with a friendly name of “USB”. Next is to go back to the device identification location (SYSTEM\CurrentControlSet\Enum\USBSTOR or SYSTEM\CurrentControlSet\Enum\USB to find out information such as first and last time it was connected to the machine.
When was the USB device with the friendly name ‘USB’ last connected?
2021–11–24 18:40:06
The end, at least for now. Happy learning.
