TryHackMe: Windows Forensics 1 Walkthrough (AO)
This post will only include conclusions and not my thoughts
Task 1: Introduction to Window Forensics
What is the most used Desktop Operating System right now?
Microsoft Windows
Task 2: Windows Registry and Forensics
What is the short form for HKEY_LOCAL_MACHINE?
HKLM
Task 3: Accessing registry hives offline
What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?
C:\Windows\System32\Config
What is the path for the AmCache hive?
C:\Windows\AppCompat\Programs\Amcache.hve
Task 6: System Information and System Accounts
What is the Current Build Number of the machine whose data is being investigated?
19044
Which ControlSet contains the last known good configuration?
1
What is the Computer Name of the computer?
THM-4n6
What is the value of the TimeZoneKeyName?
Pakistan Standard Time
What is the DHCP IP address
192.168.100.58
What is the RID of the Guest User account?
501
Task 7: Usage or Knowledge of Files/Folders
When was EZtools opened?
2021-12-01 13:00:34
At what time was My Computer last interacted with?
2021-12-01 13:06:47
What is the Absolute Path of the file opened using notepad.exe?
C:\Program Files\Amazon\Ec2ConfigService\Settings
When was this file opened?
2021-11-30 10:56:19
Task 8: Evidence of Execution
How many times was the File Explorer launched?
26
What is another name for ShimCache?
AppCompatCache
Which of the artifacts also saves SHA1 hashes of the executed programs?
AmCache
Which of the artifacts saves the full path of the executed programs?
BAM/DAM
Task 9: External Devices/USB device forensics
What is the serial number of the device from the manufacturer ‘Kingston’?
1C6f654E59A3B0C179D366AE&0
What is the name of this device?
Kingston Data Traveler 2.0 USB Device
What is the friendly name of the device from the manufacturer, ‘Kingston’?
USB
Task 10: Hands-on Challenge
Scenario:
One of the Desktops in the research lab at Organization X is suspected to have been accessed by someone unauthorized. Although they generally have only one user account per Desktop, there were multiple user accounts observed on this system. It is also suspected that the system was connected to some network drive, and a USB device was connected to the system. The triage data from the system was collected and placed on the attached VM. Can you help Organization X with finding answers to the below questions?
Note: When loading registry hives in RegistryExplorer, it will caution us that the hives are dirty. This is nothing to be afraid of. We just need to remember the little lesson about transaction logs and point RegistryExplorer to the .LOG1 and .LOG2 files with the same filename as the registry hive. It will automatically integrate the transaction logs and create a ‘clean’ hive. Once we tell RegistryExplorer where to save the clean hive, we can use that for our analysis, and we won’t need to load the dirty hives anymore. RegistryExplorer will guide you through this process.
How many user created accounts are present on the system?
3
What is the username of the account that has never been logged in?
thm-user2
What’s the password hint for the user THM-4n6?
count
When was the file ‘Changelog.txt’ accessed?
2021-11-21 18:18:48
What is the complete path from where the python 3.8.2 installer was run?
Z:\setups\python-3.8.2.exe
When was the USB device with the friendly name ‘USB’ last connected?
2021-11-24 18:40:06