TryHackMe: Windows Forensics 1 Walkthrough (AO)
This post will only include conclusions and not my thoughts
Task 1: Introduction to Window Forensics
What is the most used Desktop Operating System right now?
Microsoft WindowsTask 2: Windows Registry and Forensics
What is the short form for HKEY_LOCAL_MACHINE?
HKLMTask 3: Accessing registry hives offline
What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM?
C:\Windows\System32\ConfigWhat is the path for the AmCache hive?
C:\Windows\AppCompat\Programs\Amcache.hveTask 6: System Information and System Accounts
What is the Current Build Number of the machine whose data is being investigated?
19044Which ControlSet contains the last known good configuration?
1What is the Computer Name of the computer?
THM-4n6What is the value of the TimeZoneKeyName?
Pakistan Standard TimeWhat is the DHCP IP address
192.168.100.58What is the RID of the Guest User account?
501Task 7: Usage or Knowledge of Files/Folders
When was EZtools opened?
2021-12-01 13:00:34At what time was My Computer last interacted with?
2021-12-01 13:06:47What is the Absolute Path of the file opened using notepad.exe?
C:\Program Files\Amazon\Ec2ConfigService\SettingsWhen was this file opened?
2021-11-30 10:56:19Task 8: Evidence of Execution
How many times was the File Explorer launched?
26What is another name for ShimCache?
AppCompatCacheWhich of the artifacts also saves SHA1 hashes of the executed programs?
AmCacheWhich of the artifacts saves the full path of the executed programs?
BAM/DAMTask 9: External Devices/USB device forensics
What is the serial number of the device from the manufacturer ‘Kingston’?
1C6f654E59A3B0C179D366AE&0What is the name of this device?
Kingston Data Traveler 2.0 USB DeviceWhat is the friendly name of the device from the manufacturer, ‘Kingston’?
USBTask 10: Hands-on Challenge
Scenario:
One of the Desktops in the research lab at Organization X is suspected to have been accessed by someone unauthorized. Although they generally have only one user account per Desktop, there were multiple user accounts observed on this system. It is also suspected that the system was connected to some network drive, and a USB device was connected to the system. The triage data from the system was collected and placed on the attached VM. Can you help Organization X with finding answers to the below questions?
Note: When loading registry hives in RegistryExplorer, it will caution us that the hives are dirty. This is nothing to be afraid of. We just need to remember the little lesson about transaction logs and point RegistryExplorer to the .LOG1 and .LOG2 files with the same filename as the registry hive. It will automatically integrate the transaction logs and create a ‘clean’ hive. Once we tell RegistryExplorer where to save the clean hive, we can use that for our analysis, and we won’t need to load the dirty hives anymore. RegistryExplorer will guide you through this process.
How many user created accounts are present on the system?
3What is the username of the account that has never been logged in?
thm-user2What’s the password hint for the user THM-4n6?
countWhen was the file ‘Changelog.txt’ accessed?
2021-11-21 18:18:48What is the complete path from where the python 3.8.2 installer was run?
Z:\setups\python-3.8.2.exeWhen was the USB device with the friendly name ‘USB’ last connected?
2021-11-24 18:40:06
