Module 06 - Windows Memory and Registry Analysis

Perform Windows Memory and Registry Analysis: True or False: Traces of processes, threads, malware, open files, network connections, hidden applications, encryption keys, etc. can be found on RAM, making it a most crucial component from the point of view of evidence gathering.

True

Windows Memory Analysis: What is an integral part of forensic analysis and involves acquisition of physical memory or RAM dumps of the Windows machine?

Windows memory analysis

Windows Memory Analysis: Examining ____________ help investigators detect hidden rootkits, find hidden objects, determine any suspicious process, etc.

RAM dumps of the Windows machine

Windows Crash Dump: What is a storage space where the system stores a memory backup in case of a system failure?

Memory dump or crash dump

Windows Crash Dump: What helps in diagnosing and identifying bugs in a program that led to the system crash. It includes all the information regarding stop messages, a list of loaded drivers, and information about the processor that stopped?

Crash dumps

Windows Crash Dump: True or False: The information in memory dumps is in binary, octal, or hexadecimal format.

True

Windows Crash Dump: What enables users to examine the cause of the system crash and identify any errors in the applications or in the OS?

Windows Crash Dump

Windows Crash Dump: The core dump includes what before the system failure?

System state, memory locations, application or program status, program counters, etc.

Windows Crash Dump: The core dump includes which of the following before the system failure?

Memory locations

Windows Crash Dump: The core dump includes which of the following before the system failure?

Application or program status

Windows Crash Dump: The core dump includes which of the following before the system failure?

Program counters

Windows Crash Dump: In Windows 10, the OS creates which of the following memory dumps?

Automatic memory dump

Windows Crash Dump: In Windows 10, the OS creates which of the following memory dumps?

Complete memory dump

Windows Crash Dump: In Windows 10, the OS creates which of the following memory dumps?

Kernel memory dump

Windows Crash Dump: In Windows 10, the OS creates which of the following memory dumps?

Small memory dump

Windows Crash Dump: True or False: Examining the crash dumps can sometimes help a forensic investigator in finding out if the crash is caused due to an internal error or by a remote attacker, who was successful in exploiting a bug in the OS, or a third-party application installed on the OS.

True

Windows Crash Dump: What is a program that performs a quick analysis of a crash dump file. It shows summary information about what the dump file contains?

DumpChk

Windows Crash Dump: What tool allows the dump file is corrupt in such a way that it cannot be opened by a debugger?

DumpChk

Windows Crash Dump: What is the syntax for DumpChk?

DumpChk [-y SymbolPath] DumpFile

Windows Crash Dump: What are the paraemeters for “-y SymbolPath” in the syntax DumpChk [-y SymbolPath] DumpFile for DumpChk?

SymbolPath specifies where DumpChk needs to search for symbols

Windows Crash Dump: What are the paraemeters for “DumpFile” in the syntax DumpChk [-y SymbolPath] DumpFile for DumpChk?

DumpFile specifies the crash dump file that is to be analyzed

Collecting Process Memory: True or False: There are ways to collect all the memory used by a process—not just what is present in physical memory but what is in virtual memory or the page file as well.

True

Collecting Process Memory: What tool dumps the entire process space, along with additional metadata and the process environment, to the console (STDOUT) so that the output can be redirected to a file or a socket?

Process Dumper (pd.exe)

Collecting Process Memory: What allows dumping of any process, without attaching a debugger and without terminating the process once the dump has been completed?

Userdump.exe

Collecting Process Memory: What allows a dump file generated by ___________ can be read by MS debugging tools. However, it requires installation of its specific driver?

Userdump.exe

Collecting Process Memory: Another method of dumping a process is to use ___________.

adplus.vbs script

Collecting Process Memory: Investigators can use debugging tools such as ________ to analyze the dump files.

Handle.exe

Collecting Process Memory: Investigators can use debugging tools such as ________ to analyze the dump files.

ListDLLs.exe

Random Access Memory (RAM) Acquisition: From forensics point of view, examining __________ dumps provides system artifacts such as running services, accessed files and media, system processes, network information, and malware activity.

Random Access Memory (RAM)

Random Access Memory (RAM) Acquisition: During live acquisition, investigators use tools such as ___________ to perform RAM dumps.

Belkasoft RAM Capturer

Random Access Memory (RAM) Acquisition: During live acquisition, investigators use tools such as ___________ to perform RAM dumps.

AccessData FTK Imager

Memory Forensics: Malware Analysis Using Redline: Forensic investigators can use tools such as __________ to analyze the memory and detect malicious activities that occurred on a system.

Redline

Memory Forensics: Malware Analysis Using Redline: What tool helps investigators construct the timeline and scope of a cybercrime incident?

Redline

Memory Forensics: Malware Analysis Using Redline: Which of the following are steps involved in performing malware analysis using Redline utility:

Analyze the RAM dump using Redline by loading it from ‘Analyze Data’ section

Memory Forensics: Malware Analysis Using Redline: Which of the following are steps involved in performing malware analysis using Redline utility:

Under ‘Analysis Data’ tab, you can find all the processes running on the system when the RAM dump was acquired

Memory Forensics: Malware Analysis Using Redline: Which of the following are steps involved in performing malware analysis using Redline utility:

Click on ‘Ports’ under ‘Processes’ tab so that you can find all the connections available when the RAM dump was acquired

Memory Forensics: Malware Analysis Using Redline: Which of the following are steps involved in performing malware analysis using Redline utility:

From the figure below, it is observed that the Process ‘rundll32.exe’, with the PID 1896, is making connection with Remote IP Address 172.20.20.21 over Port 4444, which looks suspicious

Windows Registry Analysis: What is a hierarchical database that contains low-level settings for the Microsoft Windows OS and for applications that use the registry?

The Windows registry

Windows Registry Analysis: Investigating the data present in the _________ help forensic investigators obtain information on software installed and hardware driver’s configuration settings, track suspicious user activity, determine connected devices information, etc.

Windows registry

Windows Registry Analysis: What information helps investigators build timeline analysis of the incident during forensic investigation?

Windows Registry Analysis

Windows Registry Analysis: True or False: Windows registry serves as a database of all activities that a user performs on a Windows system and, hence, serves as a valuable source of evidence in a forensic investigation.

True

Windows Registry Analysis: In the _________, data is stored in folders in treelike

structures, which are referred to as hives

Windows registry

Windows Registry Analysis: What are the main registry hives in the Windows registry?

HKEY_CLASSES_ROOT

Windows Registry Analysis: What are the main registry hives in the Windows registry?

HKEY_CURRENT_USER

Windows Registry Analysis: What are the main registry hives in the Windows registry?

HKEY_CURRENT_CONFIG

Windows Registry Analysis: What are the main registry hives in the Windows registry?

HKEY_LOCAL_MACHINE

Windows Registry Analysis: What are the main registry hives in the Windows registry?

HKEY_USERS

Windows Registry Analysis: Windows Registry hives are divided into two types. Which of the following are the two types?

Non-volatile and Volatile

Windows Registry Analysis: When are volatile Windows Registry hives captured?

During live analysis of the system

Windows Registry Analysis: Where are non-volatile Windows registry hives located?

On the hard drive

Windows Registry Analysis: Which Windows registry hives are non-volatile?

HKEY_LOCAL_MACHINE

Windows Registry Analysis: Which Windows registry hives are non-volatile?

HKEY_USERS

Windows Registry Analysis: Which Windows registry hives are volatile?

HKEY_CLASSES_ROOT

Windows Registry Analysis: Which Windows registry hives are volatile?

HKEY_CURRENT_USER

Windows Registry Analysis: Which Windows registry hives are volatile?

HKEY_CURRENT_CONFIG

Windows Registry Analysis: What is abbreviated as HKU, and contains information about all the currently active user profiles on the computer?

HKEY_USERS

Windows Registry Analysis: Each registry key under _______- hive relates to a user on the computer, which is named after the user security identifier (SID). The registry keys and registry values under each SID control the user specific mapped drives, installed printers, environmental variables, and so on.

HKEY_USERS

Windows Registry Analysis: What is abbreviated as HKCR, is a subkey of HKEY_LOCAL_MACHINE\Software and contains file extension association information and programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data?

HKEY_CLASSES_ROOT

Windows Registry Analysis: What hive stores the necessary information that makes sure that the correct program opens when the user opens a file through Windows Explorer?

HKEY_CLASSES_ROOT

Windows Registry Analysis: The class registration and file name extension information stored under ______________ is found under both – HKEY_LOCAL_MACHINE as well as HKEY_CURRENT_USER.

HKEY_CLASSES_ROOT

Windows Registry Analysis: What is abbreviated as HKCC, and stores information about the current hardware profile of the system?

HKEY_CURRENT_CONFIG

Windows Registry Analysis: The information stored under the ______________ hive explains the differences between the current hardware configuration and the standard configuration.

HKEY_CURRENT_CONFIG

Windows Registry Analysis: What is simply a pointer to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current registry key, which contains information about the standard hardware configuration that is stored under the Software and System keys?

HKEY_CURRENT_CONFIG

Windows Registry Analysis: What is abbreviated as HKLM, contains most of the configuration information for installed software (which includes Windows OS as well) and information about the physical state of the computer (which includes bus type, installed cards, memory type, startup control parameters, and device drives)?

HKEY_LOCAL_MACHINE

Windows Registry Analysis: What is abbreviated as HKCU, and contains the configuration information related to the user currently logged-on?

HKEY_CURRENT_USER

Windows Registry Analysis: The ____________ hive controls the user-level settings associated with user profile such as desktop wallpaper, screen colors, display settings, etc.

HKEY_CURRENT_USER

Registry Structure within a Hive File: True or False: It is essential for a forensic investigator to have a good understanding of the basic components of the registry. This will help them to obtain extra information through keyword searches of other locations and sources that include the page file, physical memory, or even unallocated spaces.

True

Registry Structure within a Hive File: Various components of the registry called _______ have a specific structure and contain specific type of information

Cells

Registry Structure within a Hive File: What contains Registry key information and includes offsets to other cells as well as the LastWrite time for the key?

Key cell

Registry Structure within a Hive File: What holds a value and its data?

Value cell

Registry Structure within a Hive File: What is made up of a series of indexes pointing to key cells, these all are sub keys to the parent key cell?

Subkey list cell

Registry Structure within a Hive File: What is made up of a series of indexes pointing to value cells, these all are values of a common key cell?

Value list cell

Registry Structure within a Hive File: What contains security descriptor information for a key cell?

Security descriptor cell

Windows Registry: Forensic Analysis: What helps the investigator to extract forensic artifacts such as user accounts, recently accessed files, USB activity, last run programs, and installed applications?

Forensic analysis of Windows registry

Windows Registry: Forensic Analysis: Investigators can examine Windows registry in the following two methods. Which of the following are the two methods?

Static analysis and Live analysis

Windows Registry: Forensic Analysis: In this method, investigators should examine the registry files contained in the captured evidence file.

Static Analysis

Windows Registry: Forensic Analysis: In this method, investigators use the built-in registry editor to examine the registry and tools such as FTK Imager to capture registry files from live system for forensic analysis.

Live analysis

Windows Registry: Forensic Analysis: How would you capture Windows registry files on Live system using FTK Imager?

File > Obtain Password Protected Files and select Password recovery and all registry files

Windows Registry: Forensic Analysis: Which of the following are extracted subkeys of HKEY_LOCAL_MACHINE?

SAM (Security Account Manager), Security, Software, System, Default

Windows Registry: Forensic Analysis: What subkey stores information on users, administrator accounts, guest accounts, cryptographic hashes of every user password, etc?

SAM (Security Account Manager)

Windows Registry: Forensic Analysis: What subkey stores information on the current user security policy?

Security

Windows Registry: Forensic Analysis: What subkey holds information on the software applications installed and their configuration settings on the system?

Software

Windows Registry: Forensic Analysis: What subkey stores information on the configuration settings of hardware drivers and services?

System

Windows Registry: Forensic Analysis: What subkey stores information on default user settings. However, the NTUSER.dat file pertaining to the currently logged-on user overrides the default user settings?

Default

Windows Registry: Forensic Analysis: Forensic investigators can also use tools such as ______________ to retrieve artifacts related to cyber-crimes from the captured registry files

Hex Workshop

Windows Registry: Forensic Analysis: What is a set of hexadecimal development tools for Microsoft Windows and integrates advanced binary editing and data interpretation and visualization with the ease and flexibility of a modern word processor?

Hex Workshop Hex Editor

Windows Registry: Forensic Analysis: What tool allows one to edit, cut, copy, paste, insert, fill and delete binary data. One can also work with data in its native structure and data types using the application’s integrated structure viewer and smart bookmarks?

Hex Workshop