General advice on Autopsy / Registry

Any Autopsy specific discussions, events, module releases, that don't fall into the other categories.

Moderator: carrier

General advice on Autopsy / Registry

Postby superd » Thu Jul 20, 2017 6:17 pm

Hi Guys,

I am trying to learn forensics as a hobby and have a sample windows 7 image (full of interesting info) fired up on Autopsy.

Im using a NIST image and question sheet:

https://www.cfreds.nist.gov/data_leakag ... -case.html

However from the 60 or so questions at the bottom of that URL i.e. information on software installed, when its was installed, user accounts last logged in, what actions user accounts took etc etc., i am really struggling to find this information.

Am i right in assuming its stored in the registry? Problem is i dont see how its possible to easily browse the registry using autopsy. I just see a bunch of registry files.

Could someone advise my what is the most efficient way to use autopsy, or recommend a method or 3rd party tool for extracting the information i need?

Thanks guys,

Dave
superd
 
Posts: 1
Joined: Thu Jul 20, 2017 6:06 pm

Re: General advice on Autopsy / Registry

Postby Hoyt » Thu Mar 01, 2018 2:28 pm

For registry specifics, look toward the bottom of Tree Viewer under "Reports". You'll find the technical output from RegRipper here in the form of text files. Notepad++ (NPP) helps make short work of these as it has very robust search features. You'll need to know which hive holds the information your're looking for, then export. Open it in NPP and Ctrl+f to access search. Bear in mind that there typically are both original and backup hives, so look for these in the technical reports. You can navigate to each hive file's entry using Tree Viewer in the Autopsy UI to check modified/accessed/created/changed (MACC) dates/times for disparity comparison between original and backups.

To help you, here's a short guide on artifacts by hive:
SYSTEM Hive:
Current Control Set
Last Access Update (search for "disablelastaccess")
Clear Page File (search for "clearpagefile"; see pagefile.sys in Autopsy UI)
Timezone Information (search for "timezone")
Last Shutdown Time (search for "shutdowntime")
Mounted Devices (search for "mounteddevices"; see Autopsy UI under Results > Extracted Content > Devices Attached)

SOFTWARE
User Accounts/SID (see Autopsy UI under Results > Extracted Content > Operating System User Account)
Operating System Information (select SOFTWARE hive in Content Viewer, read info under Results tab; search for "currentversion" with NPP to get the actual version number - 6.3 in your case)
Registered Owner, Organization, Users (same as Operating System Information previously)

NTUSER.DAT
MRU Documents/Folders (search for "recentdocs";see Autopsy UI under Results > Extracted Content > Recent Documents)
Typed URLs (search for "typedurls")
User Assist (search for "userassist")

There are lots of other artifacts in these and other hives that can be discovered this way. The guide I wrote should provide enough of a walk-thru to help you craft your own searches for artifacts I didn't cover.

Hoyt
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy General

Who is online

Users browsing this forum: No registered users and 1 guest