SANS 508 Book 5
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/79
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
80 Terms
Common types of Anti-forensics utilized
these are the common locations anti-forensics targets
-filesystem
-registry
-other ( event logs tamper and process evasion)
-time to respond to an intrusion is the biggest factor as to whether or not we discover malicious activity. artifacts may roll out of the logs
Common types of Anti-forensics utilized: FILE SYSTEM
these are the common antiforensics techniques used in filesystems:
-timestomping
-file deletion
-file/freespace wiping
-data encrypting
-fileless malware (not artifact-less)
Common types of Anti-forensics utilized: REGISTRY
these are the common antiforensics techniques used in REGISTRY:
-registry key/ value deletion
-registry key/ value wiping
-hiding scripts in registry
Common types of Anti-forensics utilized: OTHER
these are the common antiforensics techniques used in OTHER:
-event log deletion/ tampering
-process evasion with rootkits and code injection
Timestomping
Timestomping is a technique used to alter a file's timestamps to hide changes or new files. It's a common anti-forensic tactic used by threat actors to make it harder for examiners to find important artifacts.
Here are some details about timestomping:
How it works
Timestomping modifies a file's timestamps, such as the create, access, change, and modify times. The most common method is to modify the $STANDARD_INFORMATION ($SI) attribute, which is displayed to the user.
-attackers often make files creation time and modification time similar to files that surround to blend in
File deleting/ wiping
-attackers use tools to overwrite and delete malware or data that was exfiltrated
-some LOL techniques do overwrite data, but many attackers use a tool like Sdelete.exe to delete data. However, this wont allow attackers to hide the fact they used a wiping tool
-attackers often wipe escalation tools and archive files like rar archives
Anti-forensics utilized: data encryption
-attackers use encryption methods to hide the data they are stealing. this is commonly in a rar format and is difficult to break into.
Anti-forensics utilized: fileless malware
Fileless malware is a type of malicious software that operates entirely within a computer's memory, meaning it doesn't write any files to the hard drive, making it difficult to detect by traditional antivirus software that relies on file-based detection methods; instead, it uses legitimate system tools to execute its malicious code, often referred to as "living off the land" attacks
How fileless malware attacks might occur:
Exploiting vulnerabilities:
An attacker might exploit a system vulnerability to inject malicious code into a running process.
Anti-forensics utilized: registry key modification
- once a key/value is added to a registry hive file, it is difficult to fully remove
-windows operating systems goes to great lengths to backup registry hive files
Anti-forensics utilized: event log tampering
-attacker for a long time have cleared event logss
-advanced attackers are able to suspend and modify these event logs
-logs forwarded to a siem are protected against these methods
Volume Shadow Copies (VSS/VSC)
A "volume shadow copy" is a technology within Microsoft Windows, also known as "Volume Shadow Copy Service (VSS)," which allows users to create snapshots or backup copies of files and volumes on a computer even while they are actively being used
-provides backups of nearly the entire volume to earlier points in time
-they are similar to virtual machine snapshots
-you are able to recover key files like event logs, registry malware and even wiped files
-scope snapshots were introduced in windows 8+
-xp restore points are created from various activities, including application installation, windows updates, and driver installation
- these triggers cause backups of key system files like exes, dlls, drivers, and registry files
-vista+ started to user persistent snapshots, but there are a few files excluded. these are in the backuprestore\filesnottoshapshot folder. some windows versions may exclude the hibernation and page file in the VSS backup
Scope Snapshot
A "Scope Snapshot" refers to a specific type of snapshot that captures only a defined set of data within a larger system, essentially limiting the scope of the snapshot to a particular area of interest, often used in scenarios like software analysis or system monitoring where you only need to capture specific data points or components at a given time; it's like taking a "focused picture" of a specific part of a larger system instead of capturing everything at once
-this monitors files in the boot volume that are relevant for system restore only
- these dont really do full disk backup and just do critical parts, which could leave files being corrupted
-scope snapshot can be disabled by creating a registry Dword value called snapshots
Volume Shadow Copies (VSS/VSC) NOTES
- backed up blocked are stroed in 16kb chunk files and stored in the "system volume information"
-the shadow copy directory includes a file that tracks each active shadow copy with info such as VSC ID and the timestamp when it was created.
-The tracking file is called a "Catalog" and its name is in the format of a guid that looks like: 435345-78456-234fc-c342vb345xcv
- for each shadow copy, there is a store file that keeps all the backed up 16kb blocks
Shadow Volume examination tools
triage: KAPE, Velociraptor
Full volume Analysis: arensal image mounter, f-response, vshadowmount
Vshadowinfo
Vshadowinfo is a utility that provides information about a Windows NT Volume Shadow Snapshot (VSS) volume. It is part of the libvshadow package, which is a library for accessing the VSS format.
Here are some options for vshadowinfo:
-a: Shows allocation information
-h: Shows help
-o offset: Specifies the volume offset in bytes
-v: Provides verbose output to stderr
- windows version is vssadmin list shadows
-you cannot point it at an E01 image
vshadowmount
Vshadowmount is a utility that mounts a Windows NT Volume Shadow Snapshot (VSS) volume to a separate mount point. It is part of the libvshadow package, which is a library that provides access to the VSS format.
Here are some options for vshadowmount:
-h: Shows help
-o offset: Specifies the volume offset in bytes
-v verbose: Outputs to stderr
-V: Prints the version
-X extended_options: Passes extended options to the subsystem
-exposes all volume shadow copies as raw disk images
Arsenal Image Mounter
Arsenal Image Mounter (AIM) is a disk image mounting tool that allows users to mount the contents of disk images as complete disks in Windows. AIM is developed by Arsenal Recon, a company that offers open source digital forensics tools.
AIM has many benefits for digital forensics practitioners, including:
-Launching virtual machines and bypassing Windows authentication
-Managing BitLocker-protected volumes
-Mounting Volume Shadow Copies
-Bypassing Windows file system drivers
-Virtually mounting archives and directories
-Saving disk images with fully-decrypted BitLocker volume
-tricks windows into thinking its areal drive
-automatically unwinds vsc
-uses driver disk image to emulate physical scsi drive
-exposes vsc and bitlocker and any other drive encryptions
libvshadow
Libvshadow is a library and tool that provides access to the Volume Shadow Snapshot (VSS) format. VSS is a Microsoft Windows technology that creates backup copies of computer files and volumes, even when they are in use.
Libvshadow is useful for analysts who need to work with shadow copies contained within a forensic image. It comes with two commands:
vshadowinfo: Provides information on the shadow copies within an image
vshadowmount: Mounts each volume shadow copy to a separate mount point
ewfmount
Ewfmount is a utility that mounts data in Expert Witness Format (EWF) files. EWF is a file type used to store media images for forensic purposes. Ewfmount is part of the libewf package, a library that provides access to EWF
- used to expose the compressed E01 image and is not part of libvshadow
- creates a virtual representation of the raw disk image
Linux SIFT- mountwin
alternative to the full mount command
Log2timeline VSC - notes
-log2timeline can recognize VSC when run against a full disk image
-multiple snapshots can be chosen at once
-psort can process and remove duplicate data
-psort records the number of events it processes and how many events got filtered out due to the filter setting or to duplicate removals
Psort- duplicate removal reasons
reasons psort removed
-file system entry has the same timestamp for MACB timestamps
-parsing a storage media file produce a lot of duplicates for the same event log record
-metadata information extracted for a file stored in the same place hasnt changed
O/S2 HPFS- NTFS
Os/2 was an failed operating system that lead into the development for the HPFS (high performance file system) for NTFS. This hpfs features:
-support for mixed case filename and code pages
-support for long names (255 instead of FAT 8+3)
-less fragmentation data
-extended space allocation
-transaction journal for crash recovery
-B+ tree strucrtures
-support for encryption, compression
-support for sparse files
-posic support
-cluster sizes of 4kb instead of 64kb
-NTFS added a field in the mft to explicitly state what record number it was
NTFS notes
-NTFS added a field in the mft to explicitly state what record number it was
-there is a difference between on-disk format and a version of the NTFS.sys driver that windows uses to load the system. these differences are actually changes to the driver version number and new features and NOT changes to the on-disk format
NTFS Features and notes
-ntfs uses a log file to record changes to meta data and tracks integrity
-ntfs tracks all files that changed on a system vis the Update Sequence Number (usn) journal or change journal
-posix requires support of hard link and soft link. a hard link is a single file responds to multiple names. a soft link is a file that has no data but points to the real file
-ntfs prevents users from opening files they shouldnt
-nfts allows admins to limit disk space they can use
-reparse points are soft links, volume mount points, and single instance storage
-ntfs uses object ids to track certain files and the distributed link tracking system updates where the file went
-ntfs implemented file-level encryption
-ntfs implemented file level compression
-nfts keeps file backups as you modify them
-nfts allows alternate file content and tags items downloaded for the internet
-ntfs allows you to another drive as a folder
-nfts can save disk space by keeping one instance for a file
MFT Notes
Master file table - is the About data
-metadata layer contains data that describes files
-contains pointers to the datalayer for files, mac times, and permissions
-each metadata structure is given a numeric address
-the MFT is the metadata catalog for NTFS
-contains info about files, directories such as modified, accessed, created, permission, ownership, filesize, and pointers
-nfts uses a concept of data run while FAT uses chain of clusters
-MFt is the core metadata structure of the file system
-an mft entry for a file contain the critical info needed to fully describe the file and in some cases provides pointers to other locations
MFT Notes 2
-each file and directory will have at least and usually only one mft entry
-all mft entriues are stored together in a single file called $mft
-some critical information includes thedirectory name, time stamps, permissions, and pointer to actual data
-resident data is stored on the remaining space of an mft entry. this only happens if the data is 600bytes or less
-nfts reserves the first 24 entries for special use and the first 12 entries are used by many file systems.
-mft entries use the next availiable entry to create a new file and a squence numbering is used for many created at one time
MFT file systems
0. $mft (master file table)
1. $mftmirr (backup copy of the first four mft records)
2. $logfile (transactional logging file aka journaling)
3. $volume (contains volume name, ntfs version, dirty flag)
4. $attrdef (nfts attribute definitions)
5. $.
6. $bitmap (tracks allocation and if the data is in use for each cluster)
7. $boot (boot record of the volume)
8. $badclus (used to mark defective clusters)
9. $secure (tracks security info for files)
10. $upcase (table unicode upper case letters to assist in sorting)
11. $ extend (directory containing $objid, $quota, $reparse, $usnjournal)
MFT: Entry Attributes
-mft is database-like and very structured
-mft entries are typically 1024 byes long
-every object gets an entry with attributes
-rare cases they can get set to 4096 bytes
MFT: Entry Attributes Defined
these are added to the attribute column for files
**0x10 standard info
0x20 attribute list
**0x30 file name
0x40 object id
0x50 security descriptor
0x60 volume name
0x70 volume information
**0x80 data
**0x90 index root
**0xA0 index allocation
MFT Entry format in order
MFT Header (allocation status and entry)
Standard Information (contain 4 timestamps)
Filename (short name and long name)
Data (contains data or cluster runs)
Sleuthkit: istat
displays statistics about a given metadata (aka inode) including mft entries
-can work on image types like raw, e01, vmdk and vhd and even live file system
- the -s option allows you to off set time in case the system runs slow
MFT Header: $StandardInformation
Header: contains allocation status, mft entry number, logfile sequence number
Standard information: contains file/folder attributes like readonly, hidden etc, security info like permissions, usn journal sequence number.
it also contains 4 timestamps (creation, date modified, mft metadata modified, data last accessed)
Fixup array
this is used for checking for error MFT data structures that span multiple sectors (except for sectors that dont contain file data)
2 bytes of each sector are copied into an array and a signature value is written to the last 2 bytes. when the structure reads these these two bytes they compare them to the signature values. if they dont match then something is corrupt
$logfile Sequence Number (LSN)
is offset a 0x08 and is part of the journaling system and determines if the file system is consistent and if something needs to be redone
MFT: $Filename attributes
this section contains name of file or directory, if its read only or hidden etc, the parent entry, size of file, allocated file size, created, modified, mft modified, accessed, and other attributes like short and long file name and data for the resident file
-file name signature attribute is signatured by a value of 0x30 or 48 in decimal
- parent directory reference consists of two parts: forst 6 bytes are the MFt entry number and the last 2 are the sequence numbers
Windows time rules Notes - $standard_information time stamps
- one exception is that windows 10 v1803) last access time stamp may be enabled again under certain conditions
-another caveat is that the windows subsystem for linux (WSL) updates times differently than the standard rules. We find that WSL bash shell does not abide by the normal rules for windows shell
Timestomping Notes
-time stomping is common with attackers and malware authors to make their files hide in plain sight
-artifacts from timestomping vary based on the tool used
timestomping Artifact Anomalies to check for
-$StandardInfo "B" time prior to the $File_name "B" time
- $SI M time prior to shimcache/AMcache time
-$SI times prior to executables compile time
-$SI times prior to $I30 slack entries
-USN journal records contradict current creation time stamp
- MFT entry number out of sequence from expected range
- Fractional second values all zeros
MFT: $Data Notes
-non resident data has references to the clusters to where it resides on disk. If it is less than 700bytes, then it is stored directly in the $data section
-files can have multiple $data streams. These are called Alternate Data Streams (ADS) and they must be named
-allocated size is the size of clusters consumed by the file (file content + slack)
- initilized size is the size of the clusters reserved for the file to grow into (this is giving more space but isnt counted in total file size)
Virtual Cluster Numbers (VCN)
virtual cluster numbers are used to track the contigious, in-order clusters that make up a file. the count of clusters will always start at zero except in rare cases
Dataruns
dataruns consist of a series of entries that tell is the starting point and the length of each segment of the file
Alternate Data Steams (ADS) notes
-ADS are just the presence of a second $data attribute
- any ADS attribute must be named, but the primary attribute is never named because it gets it from the $Filename attribute
Sleuthkit: icat
In the context of digital forensics, "Sleuthkit icat" refers to a command-line tool within the "Sleuth Kit" framework that allows users to extract and display the contents of a specific file or data object from a disk image, essentially allowing them to "view" a file within a forensic image on the command line by reading the file system metadata to locate and access the raw data associated with it.
Zone.identifier notes
this is an ADS given to files to signal where they came from. a value of 3 is something that was downloaded from the internet
-this is also known as mark of the web MOTW
-this is done via the windows command IAttachmentExecute for safely downloading and exchanging files
-some exceptions include internet explorer only looking for malicious files and command-line tools like powershell and ftp.exe being unlikely to tag downloads.
- cromium based browsers also limit data stored in zone.identifier (like referrer ul and host url) during private sessions
zone.identifier id attributes
-1 = no zone
0= my computer
1 = intranet
2 = trusted
3 = internet
4 = untrusted
Payloads with ADS
ADS can be added to files as dlls with something like txt.exe:adsBAD.dll
- you can search for ADS by "dir /r" or "get-item -Stream "
-another location to commonly see ADs is in the users downloads folder due to Motw zone.identifier objects
NTFS Directory: $I30
In computer terms, "$I30" refers to a hidden system file on a Windows NTFS hard drive that acts as an index, keeping track of the location and attributes of every file and directory on the volume, essentially serving as a directory listing for the file system; it's particularly important in data recovery scenarios as it can help identify deleted files due to its record of previous file locations.
Key points about $I30:
Function:
It acts like a master index, storing information about where each file is located on the disk, making file access faster.
-0x30 is the code for the $Filename attribute, $I30 gets its from that because they are formatted out the same in terms of mft entry and sequence, index size, then the 4 times macb
-however, the time stamp values here come from the $standard information attribute and not the $filename
-if a file has two $filename attributes in the MFT to accommodate for short and long names, then there will be two index entries for that directory index
NTFS MFT Directory: $I30 Notes
This is an index that stores metadata for directories.
-these contains lists of children files/ directories
-just like in other artifacts, deleted entries dont get immediately over written and are just marked as unsued
-we can search for deleted files here
NTFS B-tree
An NTFS B-tree refers to the data structure used by the New Technology File System (NTFS) to efficiently index and organize file system data, allowing for quick access to files by utilizing a self-balancing tree structure that enables fast searching, insertion, and deletion operations; essentially, it acts as a directory system to keep track of where files are located on the hard drive within the NTFS file system.
Key points about NTFS B-tree:
Function:
It helps locate files quickly by storing file metadata (like file names, locations, and sizes) in a structured way within the B-tree, facilitating efficient file system navigation.
NTFS Directory MFTAttributes notes
A directory is essentially a file and has an MFT record just list a file. It will have an $StandardInformation and $Filename attribute, but instead of a $Data, itll have an $index_root. $Index_root hold info just like $data of name, resident and size
- just like other MFT records it has an ADS that is called $index_allocation. this will be here when something is a non-resident
Parsing $I30 directory indexes (indx2CSV)
-this parses out active and slack entries
-can do several indx types such as $i30 ,$0,$obj, $Reparse
-uniquely, it CAN scan for partial entries allowing it to sometimes report meta data for deleted files and directories when their full entry isnt availiable
-similarly the sleuth icat too can extract individual attributes
File System Journaling
There are two journals that track file system metadata changes: $logFile and $UsnJrnl
$logfile does low level transactional data about changes to the file system
$usnJrnl does higher level that can be used by applications to monitor for file and directory changes. This allows software like AV to only take action on new or changed files.
$logfile notes
- provides file system resiliency
-it maintains very detailed information including full payload data to be recorded,indexes, usnjrnl
-default size is 64mb
-it is designed to handle issus with files but not protect the data
-it can provide the data needed to finish a modification in the even of a power outage
$UsnJrnl
"$UsnJrnl" refers to the "Update Sequence Number Journal" file on a Windows system, which is a hidden system file that keeps a record of all changes made to files and directories on an NTFS formatted hard drive, essentially acting as a change log for the file system; allowing forensic investigators to track file creation, deletion, and modification timestamps even if the files themselves have been deleted.
Key points about $UsnJrnl:
Function:
It records details about file system changes like creation, deletion, modification, and renaming, providing valuable information for system recovery and digital forensics
-change records are stored in an ADS named $J
-individual records are not numbered but are tracked based on their offset into the $j data stream
-the $j ads is actually whats exported for analysis and not $usnjrnl
-$usnjrnl is typicall 32mb in size
Usn notes
- usn records track a change files name, mft number, it parent directory mft number, timestamp of the change, reason code, file size and its attributes like hidden, archive etc
USN records
In computer terms, "USN records" stand for "Update Sequence Number records," which are essentially a log of all changes made to files and directories on a Windows NTFS volume, detailing when and how each file was created, modified, or deleted; essentially acting as a change journal for the file system.
Key points about USN records:
Function:
Whenever a change is made to a file or directory on an NTFS drive, a new USN record is added to the "USN Journal" which keeps track of the change with information like the file name, type of change (create, delete, modify), and the time it occurred.
E01 image
In the context of computers, "E01" refers to a file format primarily used in computer forensics, representing a disk image that contains a bit-for-bit copy of a hard drive, including additional metadata like hash values to verify data integrity, typically created by forensic software like EnCase; essentially, it's a standard way to capture and store a complete image of a drive for investigation purposes.
Key points about E01 files:
Forensic use:
Primarily used by digital investigators to preserve evidence from a suspect computer by creating an exact copy of the hard drive
$logfile marker for file/directory creation - initializefilerecordsegment and addindexentryallocation
when a file is created, there are tow operation codes that happen.
-InitializeFileRecordSegment - this function sends a message over to the MFT to ALLOCATE some space to store its attribute information. It needs to have the space or it wont have room. parsing this is like using the istat tool
-AddIndexEntryAllocation - now that theres space, this will add in the information to the index with the parent directory. this is like parsing the $i30 index which include info like item name, mft record number, parent mft record and a fill $SI timestamps
$UsnJrnl for ADS creation
$unsjrnl logs the cration, deletion, or rename of an ADS. this will start with a code "steamChange" and then it should have a "nameDataExtend" code indicating dat was added to a named stream. there can be a few seconds delay between these events
$USNJrnl file/directory mods
Three USN codes that make this easy to spot:
data extend, data overwrite, and data truncation
LogFileParser Notes
-this parser handles the complexity of $logfile and can produce a summary about each even in the $logfile
-the if_textInformation field points to files that have more information
-outputs are put into a file named log_filefileNames.csv which collects file and directory names found in all the attributes.
-LSN is long sequence numbers that tracks events because they dont have time stamps
-logfile parser can take cluster runs and attempts to reconstruct the data together with the option /reconstructdataruns
What happens when a file is deleted
Datalayer: clusters will be marked as unallocated in $bitmap, but the data will remain intact until the clusters are reused. File data and slack space will still exist
Metadata layer: a single bit in the files $MFT record is flipped so all file metadata will remain the same until its resued. The $logfile and $usnjornl and other systme logs will still reference the file
Filename layer: $filename is preserved until the mft record is reused. the $I30 index entry in parent directory may be preserved
Sdelete
SDelete is a free, command-line tool from Microsoft's Windows Sysinternals that securely deletes files and erases data from hard drives:
How it works
SDelete overwrites file data with meaningless data to prevent the recovery of deleted files. This is different from the standard delete action, which only marks the space as unallocated.
Features
SDelete can:
Delete existing files
Erase file data in unallocated portions of a disk
Wipe all free space on a hard drive
Implement the Department of Defense clearing and sanitizing standard DOD 5220.22-M
Sdelete notes
- a tools signed by microsoft
-sdelete renames files 26 times replacing the chatacters in the file name
Windows search index
The Windows Search Index is a local database that stores information about files, folders, programs, and other content on a Windows PC:
What it includes
The index includes file properties, such as names and paths, as well as the contents of text files. It also includes metadata for non-file items, such as contacts and messages.
How it works
The index is created and updated in the background as Windows tracks changes to files. When a user searches for a file, they're searching the index instead of searching in real time.
How it's used
The index is used by many built-in apps, including:
File Explorer: Accesses and tracks changes to files
Microsoft Edge: Provides browser history results in the address bar
Outlook: Searches email when running in offline mode
- this takes advantage of the USN change in journal
-for changed files that are in the location to be indexed and do not have the FANCI (File attribute not content indexed) bit set, their uri paths get added to the windows search gather queue
BCWipe
- licensed product with many config option
-it can effectively clear $I30 slack and MFT records
-renames files once with a random name equal in size to the original
-$usnjrnl and $logfile and evidence of execution artifacts persist
eraser
-recommended by us-cert for sanitizing data
-includes otpion to use a legitimate filename prior to final deletion
-renamed MFT records with ADS present, $i30 slack, $usnjrnl. $logfile, and evidence of execution artifacts persist
-renames 7 times prior to deletion
cipher
designed primarily for encryption vis efs, but also includes a feature to overwrite free space (not individual files)
-lolbin sometimes used for cleanup
-use cipher.exe /w:drive to implement built in free space wiping
-cipher creates a persistent directory names EFSTMPWP at the volume root and adds temp files within it to fill free space
Deleted file recovery methods - two
there are two methods for file recovery
-first option is to use file system metadata for things that were marked as deleted and the metadata describing the file is still pointing to data still availiable
- the second option is to do file carving, which uses file signatures of well-known file types to locate deleted files in the volumes unallocated clusters
File signature
a file signature (aka magic number) is a sequence of bytes at the beginning of the file that are unique to each file type
File Recovery via Metadata
icat- extract deleted files individually with icat
tsk recover- extract all deleted files with tsk_recover
Photorec
free file carver tool
-runs on windows, linux, and mac
vss_carver.py
-used to carve and recreate volume shadow copies
Bulk extractor
-main goal is to scan input data quickly to find useful information
-it automaticallydetects compressed files, decompresses them, and processes the data
-some built in records can collect email addresses, ip addresses, urls, credit card numbers etc.
bulk extractor with record carving
it has all the features of bulk extractor, except it has addons to do evtx,ntfsindx with $index_allocation attributes, ntfsmft,ntfsusn, and utmp
-utmp is used for carving linux/unix logs that detail login and logout information
-this tool also takes steos to reconstruct the file format of event logs so that the recovered events can be read directly with tools like event log explorer
blkls
Blkls is a command in The Sleuth Kit (TSK) that lists the contents of data units in a file system, and can extract unallocated space:
What it does
Blkls lists the contents of all unallocated units in a file system, which can be used to search for deleted file content.
How it works
Blkls opens named images and copies file system data units, or blocks. By default, it copies the contents of unallocated data blocks.
file system history notes
logfile default size is 64mb
usnjrnl is 32 and some servers are 512
usnjrnl is preferred since its more efficient and kept longer
suspicious file activity is fsutil, vssadmin,wmicshadowcopy
Registry key recovery
registry hives have unallocated space similar to file systems
a deleted hive key is marked as unallocated, but its still possible to recover: keys, values, timestamps
Registry explorer tool makes it easy to recover deleted registry data
Fileless malware in registry
-detect large values
-detect base 64 values
-malware is sometimes bundled with powershell command to launch it and the script may be stored in a seperate value to obscure it a bit more