Registry lab

.pdf

School

Eastern Michigan University *

*We aren’t endorsed by this school

Course

427

Subject

Information Systems

Date

Dec 6, 2023

Type

pdf

Pages

4

Uploaded by ColonelStrawHare38 on coursehero.com

Name: Julio Barros This is a walkthrough lab, there will not be a corresponding video. Activity 1 : How to read an offline Registry file with Windows Registry Recovery. Read) ARTIFACTS IN THE REGISTRY Aside from containing configuration settings for a Windows- based system, the Windows Registry contains a wealth of data about system usage. Users might think twice if they knew how much information is retained in the collective set of files known as the Registry. Since manipulating the Registry is something the typical computer user does not do, the data found in the Registry is considered inherently more reliable (although not perfect) than user data files. Two of the 4N6 goals with analyzing the Registry are: 1. Knowing what data stored in the Registry 2. Retrieving the data in a usable format . On Windows-computer systems with large storage capacities, some investigators find examining the Registry to be an effective triage, because it is easier to recover all of the Registry files and focus on them rather than physically acquiring a multi-terabyte drive. The Windows Registry is compromised of the following data files: C:\Windows\system32\config\default C:\Windows\system32\config\SAM C:\Windows\system32\config\SECURITY C:\Windows\system32\config\software C:\Windows\system32\config\system C:\Users\username\NTUSER.DAT (for each user profile on the system) When the files are loaded into memory, the Registry takes the form of: HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG The activities presented here will examine a number of popular Registry entries, but clearly not all artifacts. Instructions Activity 5 (DO) Should be installed already, but if not …… Reading Offline Registry Files with Regedit Product: Regedit Manufacturer: Microsoft Corporation Web site: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx Warning: Please be extremely careful, when using Regedit. Changes made to the active Registry can cause unstable conditions in Windows. 1. Download the file called “RegistryFiles - 1.zip” from filePack and extract the contents of the compressed file to your desktop. 2. Open a command prompt on a Windows computer. 3. fire up RegEdit 4. When the Registry Editor launches, ensure all keys are collapsed.
5. In the Regedit window, left click on HKEY_LOCAL_MACHINE. It will highlight. Do not open it. 6. From the main menu select “File” and then select “Load Hive…” from the pull -down menu. (If HKEY_LOCAL_MACHINE is not highlighted, this menu item will not appear.) 7. Browse to the directory on the desktop with the Registry files -1 retrieved from filepack. Select the file called SOFTWARE. When loading the file, you will be prompted to enter a name in the “Load Hive” window. Enter the name “TEST” and click the “OK” button. 8. Expand HKEY_LOCAL_MACHINE. The loaded hive will appear with the name TEST. Confirm the logon banner contained within the Windows Registry of the TEST hive by navigating down to the following Registry key: HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows\CurrentVersion\Policies\System 9. After navigating down to the key, the path will be displayed in the lower left corner of the screen as shown below: Notice two keys: legalnoticecaption and legalnoticetext. The former would contain the text value, which appears in the title bar of the consent banner. The latter is the actual message contained within the body of the consent banner. 10) What consent banner is shown on this computer? No consent banner is displayed based on the empty values in this Registry file you know this by double clicking the legalnoticecaption and finding “value data” empty. (In this hive, the consent banner has been removed and nothing will be displayed at logon. The absence of the banner may cause legal concerns during the examination of corporate assets. In this example the absence of data is a finding.) If a banner is found, it proves the user was informed of policies that were listed. 11. Navigate to the following key to identify the installation information for the versions of Windows: HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows NT\CurrentVersion (product name) 12. What is the name of the Windows product? Eddie 13. What is the product ID number? 00371-868-0000007-85715 14. In what directory on the system is the operating system running (system root)? C:\Windows
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help