This talk is about some of the artifacts found in the registry and event logs, which can be used for an offensive or defensive operations.

1. Artifacts… That’s the Name of the Game
Fernando Tomlinson - @Wired_Pulse

2. Agenda
• About the Registry
• How the Registry can help Analysis
• Registry Tools
• Registry Artifacts and Useful Keys
• Registry Persistence
• About Event Logs
• How Event Logs help Analysis
• Event Logs Tools
• Event Log Artifacts and Useful IDs
• Custom Logs, Triggers, and Alteration
• Questions

3. Get-ADUser –Filter {Name -eq ”Fernando Tomlinson”}
• Primarily forensics, incident response, and information
technology background
• Adjunct Digital Forensics Professor at a local college
• .Net/PowerShell enthusiast; developing and coding in
PowerShell for 4 years
• Co-developer of Under the Wire (UnderTheWire.tech)
• Developer of PoSh Hunter (Posh-Hunter.com)
• Other sites:
• cyberfibers.com
• github.com/wiredpulse
PS C: >

4. We endeavour to ensure that the information we present on this website is accurate and current. However smallprint does not warrant or guarantee and takes no responsibility for any errors, omissions, misleading information, viruses or other contaminants contained in, linked to, or distributed through this website. On-Line Ordering Display on this website doesnot guarantee the availability of any particualr Good(s)and/orService(s)
therefore all orders placed through this website shall be subject to confirmation of acceptance by us. smallprint doesnot accept liability for: any direct or indirect damage arising from accessing, using or downloadingany material providedon or via this website any direct or indirect damage arising from any person relyingon information, products or services provided on or via this website any direct or indirect damage or loss incurred by
accessing sites linked to this website any direct or indirect damage or loss incurred by any person using, or beingunable to use, this website. All peoplevisiting this website take full responsibility for doing so This website is maintained by smallprint and we may make updates and changes to any part of the website at any time without giving prior notice.
If you have a task to create an email disclaimer or signature for your company and your mind went blank, fear not. We are here to provide inspiration. First of all,do not forget to insert your company’s data into the disclaimer. This serves more than one purpose. First of all, providing information on your company is required by law in some countries. For more information on legal requirements for email disclaimers, please consult this
article. Apart from the legal aspect, there is also a high marketing value. Including your company’s name and other information in every email makes your brand more and more recognizable and reinforces the bond betweenyouand the client. In this article, you can find text content for your disclaimers. If youwant to give them a nice graphic design and combine with a good lookingemail signature, We endeavour to ensure that the
information we present on this website is accurate and current. However smallprint doesnot warrant or guarantee and takes no responsibility for any errors, omissions, misleading information, viruses or other contaminants contained in, linked to, or distributed through this website. On-Line Ordering Display on this website doesnot guarantee the availability of any particualr Good(s)and/orService(s) therefore all orders placed through
this website shall be subject to confirmation of acceptance by us. smallprint doesnot accept liability for: any direct or indirect damage arising from accessing, using or downloadingany material provided on or via this website any direct or indirect damage arising from any person relyingon information, products or services provided on or via this website any direct or indirect damage or loss incurred by accessing sites linkedto this website
any direct or indirect damage or lossincurred by any person using, or being unable to use, this website. All peoplevisiting this website take full responsibilityfor doingso Thiswebsite is maintained by smallprint and we may make updates and changes to any part of the website at any time without giving prior notice.
Sometimes, it might happenthat when someone asks for a quotation, the recipient assumes that it equals enteringan agreement. In other situations, an employeemight get carried away and promise something that oversteps their authority. Those email disclaimer exampleshelpboth parties avoid misunderstandings.This quotation request is sent to compare available offers and does not imply entering youcan consult the article
on professional email signature designs. Here, provided email disclaimers examplesare divided into sections dependingon what they apply to:Confidentiality One of
most important things to mention in a good email disclaimer exampleis confidentiality. Simply speaking, it is to state that the message should be read onlyby the original recipient and that sharing its content is strictly forbidden.The content of this email is confidential and intendedfor the recipient specified in message only.It is strictly forbidden to share any part of this message with any third party, without a written consent of the
sender.If you received this message by mistake, please reply to this message and followwith its deletion,so that we can ensure such a mistake doesnot occur in the future. This message has beensent as a part of discussion between[Sender’sname] and the addressee whose name is specified above. Shouldyoureceive this message by mistake, we would be most grateful if youinformed us that the message has beensent to you. In this
case, we also ask that you deletethis message from your mailbox, and not forward it or any part of it to anyone else.Thank youfor your cooperation and understanding. This is a reminder for the addressee that they should check the message and attachments against viruses. This may either prevent clients’ computers from infection, or the company from beingsued for the damage caused by viruses. [Your company] puts the security of
the client at a high priority. Therefore,we have put efforts into ensuring that the message is error and virus-free. Unfortunately, full security of the email cannot be ensured as, despite our efforts, the data included in emails could be infected, intercepted,or corrupted. Therefore,the recipient should check the email for threats with proper software, as the sender doesnot accept liability for any damage inflicted by viewing the content of
this email.
Sometimes, it might happenthat when someone asks for a quotation, the recipient assumes that it equals enteringan agreement. In other situations, an employeemight get carried away and promise something that oversteps their authority. Those email disclaimer exampleshelpboth parties avoid misunderstandings. This quotation request is sent to compare available offers and doesnot imply entering into a legallybinding contract. No
employeeof[your company’s name] has the authority to conclude any bindingcontract without an explicit written consent of their supervisor. Therefore,any will to enter into an agreement must be confirmed by the [Sender’sname]’s manager. email disclaimer examples are very short and with a nice green icon can support the environment and show that youcare. Please do not print this email unless it is necessary. Every unprinted
email helpsthe environment. Is it necessary to print this email? If you care about the environment like we do, please refrain from printing emails. It helpsto keep the environment forested and litter-free. EmployeesliabilityThis email disclaimer offers the company helpwhene.g. an employeewrites something offensive. It is a safety measure against the company being sued for personalviewpoints of individuals in the company.Theviews
and opinionsincludedin this email belongto their author and do not necessarily mirror the views and opinionsof the company. Our employeesare obliged not to make any defamatory clauses, infringe, or authorize infringement of any legal right. Therefore,the company will not take any liability for such statements included in emails. In case of any damages or other liabilities arising, employeesare fully responsiblefor the content of their
emails.Email disclaimers in newsletters
Those are especiallyimportant, as they deal with subscribers’ l ists. According to regulations concernedwith email spamming and privacy, you have to provide an easy way to unsubscribe from such a list. Are youperhaps wonderingwhat could happenif there is no unsubscribe mechanism? Or if you do not provide information about your company? As an example,according to Canada’s Anti-Spam Legislation (CASL),sending a commercial
electronicmessage within, from or to Canada without such mechanism can result in criminal and civil charges, as wellas in huge penalties.For more information, you can visit this site. Below,youhave some email disclaimer examplesto show you how to put it into words.
We endeavour to ensure that the information we present on this website is accurate and current. However smallprint does not warrant or guarantee and takes no responsibility for any errors, omissions, misleading information, viruses or other contaminants contained in, linked to, or distributed through this website. On-Line Ordering Display on this website doesnot guarantee the availability of any particualr Good(s)and/orService(s)
therefore all orders placed through this website shall be subject to confirmation of acceptance by us. smallprint doesnot accept liability for: any direct or indirect damage arising from accessing, using or downloadingany material providedon or via this website any direct or indirect damage arising from any person relyingon information, products or services provided on or via this website any direct or indirect damage or loss incurred by
accessing sites linked to this website any direct or indirect damage or loss incurred by any person using, or beingunable to use, this website. All peoplevisiting this website take full responsibility for doing so This website is maintained by smallprint and we may make updates and changes to any part of the website at any time without giving prior notice.
Sometimes, it might happenthat when someone asks for a quotation, the recipient assumes that it equals enteringan agreement. In other situations, an employeemight get carried away and promise something that oversteps their authority. Those email disclaimer exampleshelpboth parties avoid misunderstandings.This quotation request is sent to compare available offers and does not imply entering into a legallybindingcontract. No
employeeof[your company’s name] has the authority to conclude any bindingcontract without an explicit written consent of their supervisor. Therefore,any will to enter into an agreement must be confirmed by the [Sender’sname]’s manager. email disclaimer examples are very short and with a nice green icon can support the environment and show that youcare. Please do not print this email unless it is necessary. Every unprinted
email helpsthe environment. Is it necessary to print this email? If you care about the environment like we do, please refrain from printing emails. It helpsto keep the environment forested and litter-free. EmployeesliabilityThis email disclaimer offers the company helpwhene.g. an employeewrites something offensive. It is a safety measure against the company being sued for personalviewpoints of individuals in the company.Theviews
and opinionsincludedin this email belongto their author and do not necessarily mirror the views and opinionsof the company. Our employeesare obliged not to make any defamatory clauses, infringe, or authorize infringement of any legal right. Therefore,the company will not take any liability for such statements included in emails. In case of any damages or other liabilities arising, employeesare fully responsiblefor the content of their
emails.Email disclaimers in newsletters
If you have a task to create an email disclaimer or signature for your company and your mind went blank, fear not. We are here to provide inspiration. First of all,do not forget to insert your company’s data into the disclaimer. This serves more than one purpose. First of all, providing information on your company is required by law in so
me countries. For more information on legal requirements for email disclaimers, please consult this article. Apart from the legal aspect, there is also a high marketing value. Including your company’s name and other information in every email makes your brand more and more recognizable and reinforces the bondbetweenyou and the
client. In this article, you can find text content for your disclaimers. If you want to give them a nice graphic design and combine with a good lookingemail signature, you can consult the article on professional email signature designs. Here, provided email disclaimers examplesare divided into sections dependingon what they apply to:C
onfidentiality One of the most important things to mention in a good email disclaimer example is confidentiality
Disclaimer
TL;DR( or TS;CR)
This presentation is not suggesting to only bypass or analyze the Registry or
Event Logs but merely highlighting a small amount of the plethora of information
that can be gained from them.

5. What is the Registry?
• DNA for a Windows operating system
• A central hierarchical database
• Stores much of the information and settings for software programs,
hardware devices, user preferences, operating system configurations,
and more.
• Essential database of artifacts for a forensics analysis

6. Registry Components
• Two important facts:
• It is only complete when loaded into your computer's memory
• It is the sum of two parts, the data and the processes that create it and provide access to it
• Some registry hives are stored on disk and some are in memory only
• All the registry hive structures only exist in memory
• Includes a set of volatile hives that only exist when Windows is running

7. Registry Components
• System Hives on Disk
• DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM
• Stored %WinDir%System32Config
• Backed up ~10 days and stored in %WinDir%System32ConfigRegBack
• Vista and above
• User Hives on Disk
• NTUSER.DAT
• C:Users<username>NTUSER.dat
• USRCLASS.DAT
• C:Users<username>AppDataLocalMicrosoftWindowsUsrClass.dat

8. From Disk to Memory
Data on Disk Process Data in Memory
Volatile
Registry Hives
Non-volatile
Registry Hives
Registry Hive
Files
Registry Hive
Files
Registry Hive
Files

9. Hive Transformation
Hives on disk Hives in Memory
HKEY _CLASSES_ROOT
NTUSER.DAT
USRCLASS.DAT
HKEY_CURRENT_USER
SAM
SECURITY
SOFTWARE
SYSTEM
HKEY_LOCAL_MACHINE
Default HKEY_USERS
HKEY_CURRENT_CONFIG

10. Visual Breakdown
Hives *
Key *
Subkey *
Value Value Data
Value Type
* Stores Last Write Time

11. How Registry Data is Stored?
• Most data needs to be converted into human readable format
• Binary
• XML
• Rot-13 Encoded
• User Assist Data
• Key-Values are tagged with Last Update time (64 bit Windows
data time)
• Can’t be viewed in the Windows Registry Editor

12. Why the Registry
• Plethora of information about the system and user activity
• Executed programs, service information, accessed files, etc..
• Heavily used by the operating system and applications
• Registry data created as a result or user/app interaction with the OS
• Not just malware investigations; can serve as a staging area

13. What can Registry analysis help
answer?
• Did malware (or something suspicious) execute?
• How is persistence maintained?
• What files/folders were accessed?

14. Analyzing the Registry
•User Activity•USB Devices
•System
Configuration
•Profile Users
SAM
SYSTEM
SOFTWARE
NTUSER.DAT
SYSTEM
SOFTWARE

15. Tools to View the Registry
• Registry Editor (regedit) – online hives
• Inherit in Windows operating systems
• Lacks display of LastUpdate but can be seen if exported
• RegRipper – offline hives
• Written by Harlan Carvey
• Extensible through plugins
• May not retrieve everything
• Registry Explorer – offline hives
• Written by Eric Zimmerman
• Can retrieve deleted keys
• YARU (Yet Another Registry Utility) – offline hives
• Can retrieve deleted keys
• Awesome but costs $$
• Registry Viewer – offline hives
• PowerShell – online hives

16. Execution
• MuiCache
• HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellMuiCache
• System stores information from each new application launched
• No program execution time
• ShimCache
• HKLMSystemCurrentControlSetControlSession ManagerAppCompatCache
• Used to identify possible application compatibility challenges with executables
• Contains file name, path to exe, size, last modified time, last execution time, etc..
• Only written to at shutdown; get memory dump if needed
before shutdown

17. Execution
• UserAssist
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
• Tracks executables and the links opened in Explorer
• Last time & number of times app was launched to include path to the app
• Stored in ROT13
• RecentApps
• HKCUSoftwareMicrosoftWindowsCurrentVersionSearchRecentApps
• New to Windows 10
• Tracks executed programs & files accessed from them
• Very similar to UserAssist; likely not wiped during anti-forensics due to not being as widely
known

18. Investigate Activity
• Shellbags
• HKCUSoftwareMicrosoftWindowsShellBags
• HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBags
• Contains path & last write time of every folder accessed
• Determine directory structure of accessed volumes
• Requires interaction with the shell
• RecentDocs
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs
• List of files opened from Windows Explorer
• Tracks last 150 files or folders opened
• Corresponds to %USERPROFILE%Recent (My Recent Documents)

19. Investigate Activity
• Application MRU Lists
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32
• Recently opened or saved files/programs/URLS via Windows shell box (including items
opened from the browser)
• Documents that are opened or saved via Microsoft Office programs are not
maintained.
• WordWheelQuery
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWordWheelQuery
• Terms searched for in the File Explorer search bar
• Uninstall
• HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall
• Installed programs
• Contains name, version, install date, etc..

20. Investigate Activity
• Typed URLs
• HKCUSoftwareMicrosoftInternet ExplorerTypedURLs
• Last 25 recent URLs (or file path) that is typed in the IE or File Explorer address bar
• Shows fully typed, automatically completed while typing, or links that are selected from
the list of stored URLs in IE address bar
• Typed Paths
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer TypedPaths
• Written Registry upon user logging off
• Mapped Drives
• HKCUnetwork
• Lists user mapped drives, username, connection type, etc..

21. TypedPaths

22. Persistence
• Many, many ways to persist
• “Run” keys
• Application hijacking – when a certain event happens, run code
• HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs
• Browser Helper Objects (BHO)
• HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
• Logoff script -> RunOnce -> Stager_Execution

23. Persistence through offline Registry Hive

24. Persistence and Execution
• Data -> Bytes -> Base64 -> Staging
• Fileless approach
• Registry, Active Directory, Event Logs, Alternate Data Streams
• There when we need it; less likely to be found

25. Deleted Registry Keys and Values
• Registry hives have unallocated space, deleted keys are marked as unallocated
• Similar to file systems
• Recovery of unallocated Keys and Values are possible
• Keys, Values, & Timestamps
• Lack of anti-forensic tools to completely wipe unallocated registry hive data
• Recovery of deleted keys possible
• YARU (Yet Another Registry Utility)
• Registry Explorer

26. Deleted Registry Keys and Values

27. More Useful Keys
• Retrieve firewall rules and delete them
• HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewall
Rules
• Disable firewall
• HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewall
Rules*Profile
EnableFirewall = 0
• Disable downgrade PowerShell v2
• HKLMSoftwareMicrosoftPowerShell1PowerShellEngine
• Sysinternals key
• HKCUSoftwareSysinternals

28. More Useful Keys
• WinLogon
• HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Shell = Explorer.exe, < malware.exe >
• HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
UserInit = C:windowssystem32usinit.exe, < malware.exe >
• Disable Process Creation Commandline Logging
• HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit
ProcessCreationIncludeCmdLine_Enabled = 0
• Disable Prefetch
• HKLMSoftwareCurrentControlSetControlSession ManagerMemory
ManagementPrefetchParameters
EnablePrefetcher = 0

29. Service DLLs

30. Service DLLs

31. Microsoft Office

32. Retrieving SystemInfo from the Registry

34. What are Event Logs?
• Centralized recording of information about:
• Software
• Hardware
• Operating system functions
• Security
• Multiple events comprise an event log
• Events are collected and stored by the Event Logging Service (EventLog)
• Event logs provide historical information that can help illuminate system and
security problems as well as tracking user actions and system resource usage.
• Exporting from Event Viewer
• Multiple formats: .evt, .evtx, .csv, .xml, .txt

35. How do Event Logs help?
• What Happened?
• Date Time?
• Users Involved?
• Systems Involved?
• Resources Accessed?

36. Location
• NT / Win2000 / XP / Server 2003
• .evt file type
• %systemroot%System32config
• Filenames: SecEvent.evt, AppEvent.evt, SysEvent.evt
• Vista / Win7 / Win8 / 2008 /2012 / Win10 /Win 2016
• .evtx filt type
• %systemroot%System32winevtlogs
• Remote log server
• Filenames: Security.evtx, Application.evtx, System.evtx, etc.
• Default locations can be changed in the registry

37. Types of logs
• Security log
• Most commonly reviewed log in forensics
• User authentication/logon and behavior/actions
• File/Folder/Share access
• Security settings modifications
• Failure and success can be audited
• Detailed logging can be enabled on specific user accounts
• Only updated by the LSASS process
• Third-party applications cannot insert events
• Application and Service Logs
• Stored in same folder as standard event logs:
• %systemroot%System32winevtLogs
• Includes PowerShell logs

38. Interesting Logs
• Security
• 4688 – Process Creation
• 4648 – Explicit credential use
• 4624- Logon
• 4625 - Failed Logon
• 4634 / 4647- Successful Logoff
• 4672 - Account logon with superuser rights
(Administrator)
• 4778 - Session Connected/Reconnected
• 4779 - Session Disconnected
• 1102 - Audit cleared
• 5140 - Network share was accessed
• 1100 – Eventlog service disabled
• 5145 - Shared object accessed (Detailed File Share auditing)
• 4688 - Process Creation (includes executable path)
• 7034 - Service crashed unexpectedly
• 7035 - Service sent a Start/Stop control
• 7036 - Service started or stopped
• 7040 - Start type changed (Boot I On Request I Disabled)
• 7045 - A service was installed on the system (Win2008R2+ )
• 4697 - A service was installed on the system
• 4616 - Change time

39. Interesting Logs
• USB:
• 20001 - Plug and Play driver install attempted (System log)
• 6416 – New external device plugged in
• 4663 - Attempt to access removable storage object
• 4656 – Failure to access removable storage object
• Application:
• 1033 - Installation completed
• 1034 - Application removal completed
• 11707 - Installation completed successfully
• 11708 - Installation operation failed
• 11724 - Application removal completed successfully

40. 4624 – How the User Logged In
• The following Logon Type Codes can be used:
• 2: Log on via a console
• 3: Network logon
• 4: Batch logon
• 9: Typically RunAs
• 10: Remote interactive logon

41. Locating Log Evidence
• It is important to understand where logs are recorded
• Domain controllers
• System logged into
• Remote system or server
• Rule of thumb is that an event is triggered wherever authentication or
system processing took place
• Domain credential authentication = on domain controller
• Remote desktop logon = on system being logged into
• Network share mounted = on remote system where shared folder resides

42. Tools to View Event Logs
• Event Viewer
• Built-in to Windows
• Reads online and offline logs
• Reads local and remote logs
• Event Log Explorer
• Supports .evt and .evtx formats
• Can open multiple logs at once for
simultaneous Searching correlation
activities
• Merge logs together to correlate
• Access remote event logs
• Color coding by Event IDs
• Free for personal use
• PowerShell
• Built-in to Windows
• Reads online and offline logs
• Reads local and remote logs

43. • Create your own custom logs
• Could be used to log activity that otherwise had no way of being logged
You said the data
wasn’t logging!
Custom Logging

44. • Post-exploitation
• Persistence
• Monitor for events to trigger action
Triggers from Event Log

45. Invoke-GhostLog
• Technique for altering event logs on Win7
• Queries are based on XML
• Can exclude/include events based on ID or timeframe
• Caution if system is logging services being disabled (ID 1100)
• Requires System 
https://github.com/WiredPulse/Invoke-GhostLog

46. References
https://www.techsupportalert.com/content/deeper-windows-registry.htm
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/