This document summarizes information about the Windows Registry including its structure, tools used to access it, locations of hive files, and types of evidence that can be extracted including search history, recent documents, dialog boxes used, commands executed, and software/OS versions. It explains registry hives like HKEY_LOCAL_MACHINE, keys with MRU lists that track recently used items, and how timestamps and MRU lists can help determine the order and time of user activity on a system.
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
presentation on Windows and basics registry.
These slides deals with the basic terms and working of windows registry under Windows O.S.
Windows tricks by registry.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence
Automating everything with PowerShell, Terraform, and AWSChris Brown
From the Melbourne PowerShell meetup in December 2016. At this event I presented a demonstration of how easy it is to build, test, and destroy infrastructure using combinations of technologies.
Similar to MindMap - Forensics Windows Registry Cheat Sheet (20)
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
1. Windows Registry
Hives
HKEY_LOCAL_MACHINESAM(KEY) SAM
HKEY_LOCAL_MACHINESecurity(KEY) SECURITY
HKEY_LOCAL_MACHINESystem(KEY) SYSTEM
HKEY_LOCAL_MACHINESoftware(KEY) SOFTWARE
HKEY_USER(KEY) NTUSER.DAT
Tools
RegRipper
YaruRecover delete
Ubication
%WinDir%System32Config
SAM
SECURITY
SYSTEM
SOFTWARE
DEFAULT
NTUSER.dat
(XP) Documents and Settings<username>NTUSER.dat
(Vista,Win7 y 8) Users<username>NTUSER.dat
USRCLASS.dat(Vista,Win7 y 8) Users<username> NTUSER.dat
Evidence
NTUSER.DAT
XP Search History
SoftwareMicrosoftSearch
AssistantACMru
5001 Search the Internet
5603 All or part of the filename
5604 A word or pase in a file
5647 Computers or people
Recent Docs
SoftwareMicrosoftWindowsCurre
ntVersionExplorerRecentDocs
Office Recent Docs SoftwareMicrosoft
10
Word FileMRU
Excel
PowerPoint
11
12
14
Dialog Boxes
LastVisited
Last path of file Opened
Executable Used
SoftwareMicrosoftWindowsCurre
ntVersionExplorerComDI32
LastVisitedMRU
LastVisitedPid1MRU
OpenAndSave
Save File Dialog Box
Open File Dialog Box
SoftwareMicrosoftWindowsCurre
ntVersionExplorerComDI32
OpenSaveMRU
OpenSavePidMRU
Comands Executed
SoftwareMicrosoftWindowsCurre
ntVersionExplorerRunMRU
SoftwareMicrosoftWindowsCurre
ntVersionExplorerPoliciesRunMR
U
Program Executed
SoftwareMicrosoftWindowsCurre
ntVersionExplorerUserAssist
{GUID}Count
encoged ROT-13
Last run time
Run count
UEME_
RUNPATH
RUNCPL
RUNPIDL
UIQCUT
UISCUT
UITOOLBAR
SOFTWARE OS Version
MicrosoftWindows
NTCurrentVersion
SYSTEM
Computer Name
CurrentControlSetControlComput
erNameComputerName
CurrentControlSet
ControlSet00x
SelectCurrent
Network interfaces
CurrentControlSetServicesTcpip
ParametersInterfaces
Time Zone
CurrentControlSetControlTimeZo
neInformation
Formulas
UTC = Local Time + ActiveTimeBias
Local Time = UTC - ActiveTimeBias
Standard Time = Bias + StandardBias
Daylight Time = Bias + DaylightBias
Time Zone Information
CurrentControlSetControlTimeZo
neInformation
Backup%WinDir%System32ConfigRegBack
Properties
TimeStampsEvery Key has Last Write TimeTime UTC
MRU
Most Recent Used MRUList
MRUList
Key value for Keep track most
recent additions
Knowing the exact order will aid in
determing the order of activity
Last write time of the Key will be
the time the first MRUlist entry
value occurred