Home front-page port 80-shoopyuPractical Windows Forensics

front-page port 80-shoopyuPractical Windows Forensics


The go-to methodology to get up and running with forensics is as follows:

  • Extract Evidence
  • Mount with Arsenal Image Mounter
  • Parse with KAPE into a cases folder
  • Examine Registry with RegRipper and output findings to text file for further searching

Forensics Process


The forensics process can broadly be classified into the following steps:

  • Data identification
  • Data Acquisition
  • Verify Integrity ( create hash at the start for verification at the end)


Windows OS: Sources of Evidence

Fundamental sources of forensics evidence:

  • Memory
  • Disk
    • NTFS
    • Windows Registry
    • Windows Event logs
    • Other windows artifacts

Disk Analysis Process

  • System and user information

    • Registry
  • File analysis

    • NTFS
  • Evidence of execution

    • Background Activity Moderator
    • Shimcache
    • Amcache
    • Prefetch
  • Persistence Mechanisms

    • Run Keys
    • Startup Folder
    • Scheduled tasks
    • Services
  • Event Log Analysis

Windows Registry

Registry is a db of key value pairs

  • The HKEY_CURRENT_USER is a symbolic link to HKEY_USERS
  • The HKEY_CLASSES_ROOT stores preferences for the user
  • The HKEY_LOCAL_MACHINE stores details about the system including the security, software, system and SAM file configurations.

Once you’ve extracted evidence using KAPE, you can find the registry files in windows -> system32 -> config
Users only have settings stored in the system if they logged in interactively - i.e mouse and keyboard

The NTUser.dat file gives you specific info about the user and can be found at Users > IEUser > NTUSER.DAT

The UsrClass.dat file gives you specific info that was in the HKEY_CLASSES_ROOT hive and can be found at Users > IEUser > AppData > Local > Microsoft > Windows > UsrClass.dat

Transcation log files store changes to key and value entries in the registry hives


Plugin NameFunctionExample
winverWindows versionrip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p winver
timezoneTimezonerip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p timezone
nic2Network inforip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p nic2
networklistList of APsrip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p networklist
shutdownShutdown timerip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p shutdown
defenderWindows Defender detailsrip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p defender

For automating regripper, first unhide the user specific registry files i.e the UsrClass.dat and NTUSER.dat through

attrib *
attrib -h UsrClass.dat
attrib -h NTUSER.dat

To automate regripper use a for loop specifying regripper should apply the suitable plugins to each hive and store the output in a corresponding text file as follows:

for /r %i in (*) do (C:\Tools\RegRipper\RegRipper3.0-master\rip.exe -r %i -a > %i.txt)

Starting Point

System Information

  • Computername:
  • Windows Version:
    HKLM\Software\Microsoft\Windows NT\Currentversion\
  • Timezone:
  • Network Information:
  • Shutdown time:
  • Defender settings:
    HKLM\Software\Microsoft\Windows Defender\

Windows Services


Scheduled Tasks


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree


  • C:\Windows\System32\Tasks

from the regripper output search for taskcache

You can view the services that ran using Autoruns for Sysinternals by Mark Russinovich

Windows Event Log Analysis

Path: C:\Windows\System32\winevt\logs
Event id for logons is 4624
Catch up on 4624 here

We discard a logon type 5 because it is associated with service accounts.
We pay attention to:

  • logon type 2 (interactive),
  • 3 (network) and
  • 10 (remote interactive e.g through RDP)
    Here is a cheatsheet for important event ids
Microsoft-Windows-Windows Defender5000Defender enabled
Microsoft-Windows-Windows Defender5001Defender disabled
System7045A new service was installed
Security4624An account was successfully logged on
Windows Powershell400Engine state changed from none to available
Microsoft-Windows-Sysmon1Process creation
Microsoft-Windows-Sysmon3Network Connection
Microsoft-Windows-Sysmon11File Create
Microsoft-Windows-Sysmon12,13Registry Events

Windows Memory Forensic Analysis

To analyze RAM in Windows, one can opt to use Volatility as summarily described below.

vol -f DFIR\ Windows-Snapshot4.vmem windows.info

view processes as tree

vol -f DFIR\ Windows-Snapshot4.vmem windows.pstree

examine specific process id

vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068

dump process

vol -f DFIR\ Windows-Snapshot4.vmem windows.pslist --pid 5068 --dump

check dlls for suspicious process

vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 > dlls.txt

dump dlls

vol -f DFIR\ Windows-Snapshot4.vmem windows.dlllist --pid 6436 --dump

see who owns processes through sids for multiple pids

vol -f DFIR\ Windows-Snapshot4.vmem windows.getsids --pid 6436 5068

extract info from registry

vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey -h

list registry hives

vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.hivelist

from the offset obtained above, find info on the file

vol -f DFIR\ Windows-Snapshot4.vmem windows.registry.printkey --offset 0xce8afd3e8000 --key AtomicRedTeam

The user hive is the one that contains the classes subkey


Volatility timeline output is recorded as Mactime Bodyfile in Timeline Explorer

# timeline with volatility
vol -f /mnt/c/Cases/Analysis/Memory/DFIR\ Windows-Snapshot4.vmem timeliner --create-bodyfile

EZ Tools CheatSheet

Here is a cheatsheet to EZ tools


This serves as an introduction to Windows Forensics in a practical format that you can use to get up and running when you need to carry out a Digital Forensics Investigation.

enter image description here

This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyuMemLabs Lab6 πŸ›‘οΈ

front-page port 80-shoopyu EMO | Hack The Box | Forensics