13Cube, I do have a question, I was thinking of using your playlist to better understand DF before I take the plunge and study Giac Sans 500 GCFE. What would you recommend me doing to further increase my chance of passing? Are there other vids or books you recommend as well? Thank you very much!
I'm new to DFIR and a coworker sent me this video! Thanks so much!! Just figured I'd put in the comments: System registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803
Thanks - this is a fairly old video but most of it is still relevant. Check out the other episodes on the channel for more updated content. A wide variety of topics are covered, including Linux and macOS.
@@13Cubed Definitely will do! I find it super helpful how well you link the artifacts to the actual user actions and examples of how it could be used in an investigation :) Thanks so much!
ABSOLUTELY A GEM OF A VIDEO! I learned most of this in college but needed to brush up again. thank you so much for posting this video. (I also love your last name!)
4 หลายเดือนก่อน +6
Love your teaching style Richard! I was wondering, what do you think about the CCD cert?
Thank you :) Regarding the cert, no personal experience with it, but given CyberDefenders's reputation, I'm sure it's good! 13Cubed courses also have certifications, if you are interested. See 13cubed.com/certifications.
This video is a lifesaver. This is very informative and very easy to understand. I am currently about taking the FOR500 course classes. DFIRDiva referred me this TH-cam channel. This is really so helpful, words can express my gratitude for sharing this wealth of knowledge. Once again thank u 13cubed.
Thanks for this video. My job is more IR than DF but I'm taking FOR508 class in about 3 weeks and want to go in a better grasp of forensicating. Planning to study up a bit and play around with SIFT and the tools I got during GCIH before I go. Appreciated!
Vero Ev0 Glad you found it useful. Be sure to check out all the other videos in the series, as well as the memory forensics and malware analysis series.
Thank you for this video! I'm doing my degree on Forensic Computing and this has just helped me understand some things better than the lectures! I've definitely subscribed and I'm really looking forward to more videos
I would love to see more of your lectures and learn from you. I am doing my MS in Computer Forensics, but I always had so little confidence in working with the registry (I was trying to avoid it because it seemed so complicated). Not any more =)
🎯 Key Takeaways for quick navigation: 00:00: Introduction *to Windows Forensics covering basic Windows forensic analysis techniques and artifacts.* 02:35: Explanation *of the Windows Registry structure, its location, and important registry hives (e.g., HKCU, HKLM).* 08:12: Overview *of registry keys like common dialogue 32, last visited PIDL MRU, and open/save PIDL MRU, showing recent file paths and interactions.* 10:47: Discussion *on the "Run MRU" registry key, revealing executed commands from the Run dialog.* 11:54: Exploration *of "Typed Paths" in the registry, indicating explicitly typed paths in Windows Explorer.* 13:17: Introduction *to "UserAssist" registry key, which logs executed programs and provides information on their usage.* 15:11: Explanation *of "Run" and "RunOnce" registry keys in both current user and local machine, detailing programs that start upon login.* 16:47: Introduction *to "Shell Bags" registry artifacts, storing Windows Explorer customization details and persisting information on deleted paths.* 18:18: Demonstration *of "Shell Bags Explorer" tool to parse and view shell bags information, showing evidence of deleted paths.* 21:27: Introduction *to "User Class Dat" registry hive, added in Windows 7 for segmentation of low integrity processes, emphasizing its importance in forensic analysis.* 23:30: Transition *to discussing USB devices in Windows forensics, highlighting the significance of tracking plugged-in USB mass storage devices.* 23:59 Analyzing *registry paths like `hklm system currentcontrolset enum USB store` can reveal information about plugged-in devices, with details such as serial numbers and timestamps.* 25:07 In *forensics, it's crucial not to assume but rely on evidence. The correct registry key (e.g., `controlset 0 0 1`) must be determined by examining the system's registry rather than making assumptions.* 26:41 Examining *the USB store in the registry can provide details about connected USB devices, including serial numbers, manufacturer information, and timestamps of connection.* 28:57 USB *device information, including VID (Vendor ID) and PID (Product ID), can be used to look up the make and model of the device by referencing online databases.* 30:47 Exploring *the Windows registry can reveal information about mounted devices, including volume GUIDs, friendly names, and timestamps, aiding in understanding device usage.* 32:23 The *volume GUID obtained from the registry can help identify the drive letter assigned to the USB device, providing additional insights into the device's usage.* 35:30 Examining *the registry's mounted devices can link a volume GUID to the user who mounted the USB device, offering insights into user activity.* 40:32 Specific *registry keys, like `0 0 6 4`, `0 0 6 6`, and `0 0 6 7`, can reveal valuable information about USB device events, including installation, connection, and removal times.* 42:18 The *setup API logs (e.g., `setupapi.dev.log`) can be referenced to find information about the first installation time of a USB device, providing additional context for forensic analysis.* 43:12 Miscellaneous *registry keys, such as time zone information, computer name, and network configurations, can be crucial for forensic investigations, helping establish a comprehensive understanding of the system.* 49:25 The *NLA registry keys in Windows can be used by forensic investigators to find evidence of every network a machine is connected to. Check the last write time of the key to determine the last time a PC connected to a specific network. The NLA information includes details like default gateway MAC, DNS suffix, SSID, and profile type.* 53:33 Linked *files (LNK files) in Windows contain valuable metadata, including the MAC address of the host computer, original file path, size, and more. Even if a file has been securely erased, analyzing LNK files can provide evidence of its existence. Don't ignore LNK files in forensic investigations.* 58:31 Prefetch *and Superfetch in Windows, designed to improve user experience by caching frequently used data, can be leveraged by forensic investigators. Prefetch files (PF) in the Windows prefetch directory can show evidence of application execution globally for all users on the system. Analyzing PF files provides details like executable name, path, run counter, and last run time. Consider the enable prefetch registry key value (default is 3) to ensure prefetching is enabled.* Made with HARPA AI
Thanks - The latest version of Registry Explorer v1.4.2 gives the details in parsed format directly - no additional tool is needed - even the ROT13 decoding is done
This video is so clear and easy to follow (while at the same time being very informative and professional) that I would like you to make something similar to the MAC OS. Meanwhile, thanks so much for sharing this.
L. Barrera Thanks, be sure to check out the playlist of the same name that contains all of the episodes in the series covering a wide variety of topics.
@@13Cubed Thank you for your prompt reply. I have seen almost all of your youtube videos (I meant, those related to Windows OS and memory forensics). However, I haven't seen any video related to MAC OS forensics (I meant, related to HFS+ or even better, related to APFS and their corresponding operative systems: OS Sierra etc). And again, thanks for sharing so valuable and educative information!!.
Thank you so much for such detailed explanation. Can you please provide those registry data as well for importing to try handson. Or suggest sites to download such entries for analysis
Thank you ! Such an excellent intro to Registry and generic Windows forensics. Great Job!!! Do you know where on Windows 10 can we find Microsoft Egde Forensics info (such as bookmarks stored locally, History stored locally, etc ).
Great, informative video - thank you! What would you recommend to watch/read next (except your channel of course which I subscribe) to widen knowlege on digital forensics topic? Also I have a chance to participate in a SANS training during DFIR Summit in Prague. What would you recommend for a newbie in Forensics? I have a strong background in networking, so I thought about Advanced Network Forensic (FOR572) but from the video and GIAC Roadmap I recon that Windows Forensic (FOR500) would be the best start
Trendnet18 Good to hear! I’ve never done a gold paper, but if you want to research something how about the forensic implications of the Windows Subsystem for Linux (WSL). Lots of good material there...
Each interface will have its own IP address associated with it. I just happened to click on the first GUID, which was this VM's primary adapter. The others could be VPN interfaces, loopback adapters, etc.
The current could have issues, and the last known good could be other than one. This would allow someone to boot and choose the "Last Known Good Configuration" option.
No, just free TH-cam content. If you are looking for something even more in-depth, I would recommend SANS. There are numerous classes available in the DFIR curriculum.
Without taking the GCFE, can I work through all these videos and work through the Windows Forensics book by PHD Philip Polstra instead, and be fine moving into the GCFA?
Possibly, but I would recommend taking Investigating Windows Endpoints and Investigating Windows Memory. Those are comprehensive courses, and both together cover nearly everything in FOR500 and FOR508 (plus a lot of additional detail not covered in either). Both courses also include a certification attempt. See 13cubed.com for more info.
went to through the SANS video. Then came back here man make things so much simpler to understand. Just a question I googled for Broadband and VPN (For user profile)do I follow I keep seeing 243(decimal) for it and 0x17 for VPN. Is this a recent change ?
Interesting - that's entirely possible. However, I cannot find any documentation about this, and my tests were not able to duplicate your findings. If you find anything more about this, please share it.
13Cubed any idea how to duplicate the broadband using mobile phone? I try to test out. Currently its showing up as wireless when I use usb tethering it doesn't show up. later ill put the link to the forum later.
13Cubed ok ill post the link to the forum later. For VPN wise doesn't seem to show up when I use openvpn. Is there a specific method that it records it in the regsitry?
Hi , I justed want to know if someone downladed a file from any of the web browser or downladed from the email what all things in the registry we need to look it out as a part of forensic investigation.
Sumeet Mishra A lot... RecentDocs, RecentFiles, UserAssist for program execution artifacts... really too many to cover here. Most are covered in this video and others in this series.
This was recorded years ago, so for this particular episode, yes. For current stuff, I do use VMs for Windows Server-based episodes, but I have a dedicated DFIR box that I built on which I do all of the lab work for current episodes.
Hello man,, I have a small question... at 10:54 you made a zoom while recording... how did you do that? what are you using for recording ??? or you did it in the editing stage ??? please answer.. Like your work
I use ScreenFlow and Final Cut Pro, but for this old video I think the only thing I used was QuickTime. macOS has a built-in zoom feature which is all I used.
I love the fact that this is still viable in 2023. Thank you!
13Cube, I do have a question, I was thinking of using your playlist to better understand DF before I take the plunge and study Giac Sans 500 GCFE. What would you recommend me doing to further increase my chance of passing? Are there other vids or books you recommend as well? Thank you very much!
Thanks for being so great at explaining the "Why" as well as the "How"!!! Very helpful!!!
I'm new to DFIR and a coworker sent me this video! Thanks so much!!
Just figured I'd put in the comments: System registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803
Thanks - this is a fairly old video but most of it is still relevant. Check out the other episodes on the channel for more updated content. A wide variety of topics are covered, including Linux and macOS.
@@13Cubed Definitely will do! I find it super helpful how well you link the artifacts to the actual user actions and examples of how it could be used in an investigation :) Thanks so much!
This is best video for learning windows forensics Thankyou so much for making this video on Windows forensics
No problem. Check out Investigating Windows Endpoints at 13cubed.com for an even more in-depth full course on Windows forensics!
The best material about digital forensic I know by far. Thanks a lot for this great content. Please keep it up
Thank you for being such a great tutor on the video. I'm a total newbie in the Cybersecurity but I found this is super interesting to learn.
Yo wassup,
How's your journey in cybersecurity till now
ABSOLUTELY A GEM OF A VIDEO! I learned most of this in college but needed to brush up again. thank you so much for posting this video. (I also love your last name!)
Love your teaching style Richard! I was wondering, what do you think about the CCD cert?
Thank you :) Regarding the cert, no personal experience with it, but given CyberDefenders's reputation, I'm sure it's good! 13Cubed courses also have certifications, if you are interested. See 13cubed.com/certifications.
This video is a lifesaver. This is very informative and very easy to understand. I am currently about taking the FOR500 course classes. DFIRDiva referred me this TH-cam channel. This is really so helpful, words can express my gratitude for sharing this wealth of knowledge. Once again thank u 13cubed.
thank for helping me pass the gcfe
and for the star trek the next generation reference
Thank you very much for the great video! It is very helpful for the basic forensic at the company.
Thanks for this video. My job is more IR than DF but I'm taking FOR508 class in about 3 weeks and want to go in a better grasp of forensicating. Planning to study up a bit and play around with SIFT and the tools I got during GCIH before I go. Appreciated!
Vero Ev0 Glad you found it useful. Be sure to check out all the other videos in the series, as well as the memory forensics and malware analysis series.
Hey, you should brand your PDF so I know where I borrowed it from and remember to visit you more often.
Thanks! Excellent video. Would love to see something similar for Mac OS
Thank you for this video! I'm doing my degree on Forensic Computing and this has just helped me understand some things better than the lectures!
I've definitely subscribed and I'm really looking forward to more videos
This is fantastic, man! Thank you so much!
Old one but great one!
I am thinking about switching career paths from CTI to Digital Forensics and this was a great intro. Easy to follow. Thank you!
what's wrong with CTI?
Wow, very nice. Explains things very well
Thank you for such informative and a not boring lesson on Window Registry forensics. I definitely going to share this video with my classmates.
I would love to see more of your lectures and learn from you. I am doing my MS in Computer Forensics, but I always had so little confidence in working with the registry (I was trying to avoid it because it seemed so complicated). Not any more =)
I just saw your videos!! Thank you so much for this!
🎯 Key Takeaways for quick navigation:
00:00: Introduction *to Windows Forensics covering basic Windows forensic analysis techniques and artifacts.*
02:35: Explanation *of the Windows Registry structure, its location, and important registry hives (e.g., HKCU, HKLM).*
08:12: Overview *of registry keys like common dialogue 32, last visited PIDL MRU, and open/save PIDL MRU, showing recent file paths and interactions.*
10:47: Discussion *on the "Run MRU" registry key, revealing executed commands from the Run dialog.*
11:54: Exploration *of "Typed Paths" in the registry, indicating explicitly typed paths in Windows Explorer.*
13:17: Introduction *to "UserAssist" registry key, which logs executed programs and provides information on their usage.*
15:11: Explanation *of "Run" and "RunOnce" registry keys in both current user and local machine, detailing programs that start upon login.*
16:47: Introduction *to "Shell Bags" registry artifacts, storing Windows Explorer customization details and persisting information on deleted paths.*
18:18: Demonstration *of "Shell Bags Explorer" tool to parse and view shell bags information, showing evidence of deleted paths.*
21:27: Introduction *to "User Class Dat" registry hive, added in Windows 7 for segmentation of low integrity processes, emphasizing its importance in forensic analysis.*
23:30: Transition *to discussing USB devices in Windows forensics, highlighting the significance of tracking plugged-in USB mass storage devices.*
23:59 Analyzing *registry paths like `hklm system currentcontrolset enum USB store` can reveal information about plugged-in devices, with details such as serial numbers and timestamps.*
25:07 In *forensics, it's crucial not to assume but rely on evidence. The correct registry key (e.g., `controlset 0 0 1`) must be determined by examining the system's registry rather than making assumptions.*
26:41 Examining *the USB store in the registry can provide details about connected USB devices, including serial numbers, manufacturer information, and timestamps of connection.*
28:57 USB *device information, including VID (Vendor ID) and PID (Product ID), can be used to look up the make and model of the device by referencing online databases.*
30:47 Exploring *the Windows registry can reveal information about mounted devices, including volume GUIDs, friendly names, and timestamps, aiding in understanding device usage.*
32:23 The *volume GUID obtained from the registry can help identify the drive letter assigned to the USB device, providing additional insights into the device's usage.*
35:30 Examining *the registry's mounted devices can link a volume GUID to the user who mounted the USB device, offering insights into user activity.*
40:32 Specific *registry keys, like `0 0 6 4`, `0 0 6 6`, and `0 0 6 7`, can reveal valuable information about USB device events, including installation, connection, and removal times.*
42:18 The *setup API logs (e.g., `setupapi.dev.log`) can be referenced to find information about the first installation time of a USB device, providing additional context for forensic analysis.*
43:12 Miscellaneous *registry keys, such as time zone information, computer name, and network configurations, can be crucial for forensic investigations, helping establish a comprehensive understanding of the system.*
49:25 The *NLA registry keys in Windows can be used by forensic investigators to find evidence of every network a machine is connected to. Check the last write time of the key to determine the last time a PC connected to a specific network. The NLA information includes details like default gateway MAC, DNS suffix, SSID, and profile type.*
53:33 Linked *files (LNK files) in Windows contain valuable metadata, including the MAC address of the host computer, original file path, size, and more. Even if a file has been securely erased, analyzing LNK files can provide evidence of its existence. Don't ignore LNK files in forensic investigations.*
58:31 Prefetch *and Superfetch in Windows, designed to improve user experience by caching frequently used data, can be leveraged by forensic investigators. Prefetch files (PF) in the Windows prefetch directory can show evidence of application execution globally for all users on the system. Analyzing PF files provides details like executable name, path, run counter, and last run time. Consider the enable prefetch registry key value (default is 3) to ensure prefetching is enabled.*
Made with HARPA AI
Thanks - The latest version of Registry Explorer v1.4.2 gives the details in parsed format directly - no additional tool is needed - even the ROT13 decoding is done
Donde compras o descargas la version legal. Registry Explorer
Thanks for you contribution. This will be my guideline (initial guideline, btw) to the DFIR world.
This video is so clear and easy to follow (while at the same time being very informative and professional) that I would like you to make something similar to the MAC OS. Meanwhile, thanks so much for sharing this.
L. Barrera Thanks, be sure to check out the playlist of the same name that contains all of the episodes in the series covering a wide variety of topics.
@@13Cubed Thank you for your prompt reply. I have seen almost all of your youtube videos (I meant, those related to Windows OS and memory forensics). However, I haven't seen any video related to MAC OS forensics (I meant, related to HFS+ or even better, related to APFS and their corresponding operative systems: OS Sierra etc). And again, thanks for sharing so valuable and educative information!!.
L. Barrera No macOS episodes yet, but they are coming. 😁
@@13Cubed Thank you. I look forward for them. Best wishes!
Excellent video. I really like the way you explain and show things. Thanks a lot for taking your time. Love it :)
Very helpful... Congratulations Thank You very much.
Thank you so much for such detailed explanation. Can you please provide those registry data as well for importing to try handson. Or suggest sites to download such entries for analysis
Great videos. They are well structured. Easy to understand, not boring and very interesting.
Great video, things are very clear now. Thanks a lot
Thank you.and l am a rookie and watch your videos i learning more
Thank you ! Such an excellent intro to Registry and generic Windows forensics. Great Job!!!
Do you know where on Windows 10 can we find Microsoft Egde Forensics info (such as bookmarks stored locally, History stored locally, etc ).
Thanks for that. It`s great!!!
Great, informative video - thank you! What would you recommend to watch/read next (except your channel of course which I subscribe) to widen knowlege on digital forensics topic?
Also I have a chance to participate in a SANS training during DFIR Summit in Prague. What would you recommend for a newbie in Forensics? I have a strong background in networking, so I thought about Advanced Network Forensic (FOR572) but from the video and GIAC Roadmap I recon that Windows Forensic (FOR500) would be the best start
Nice work And great struggle 👏
Thank very Much for your lecture. is very helpful forensic student.
Great Videos. Can you please make a video on SSD acquisition and encrypted drive forensics?
Jheel rathod Appreciate the suggestion. I will add this to my list.
Great introduction.Found it very helpful,thank you.
thanks for the vid! Learned a lot!
thank you for the video it was very helpful
I can't find Dcode V4 tool where can I find it
www.digital-detective.net/dcode/
@@13Cubed yes i know that but it doesn't work well like V5 and and V4
Thank you so much for the video series that you provided!! Helped me a lot to pass my GCFE exam! Any suggestions with regards to getting the GOLD?
Trendnet18 Good to hear! I’ve never done a gold paper, but if you want to research something how about the forensic implications of the Windows Subsystem for Linux (WSL). Lots of good material there...
Ok thanks l'll look it up. Btw are courses from pentester academy any good?
Not sure - not familiar with them.
THANK YOU!!!
Thank you!
VERY HELPFUL THANKS !!!
thanks!
Thanks for sharing ! Really nice.
thank you !
Muy bueno, donde descargo
Registry Explorer
¡Gracias! Me alegro de que te haya gustado. ericzimmerman.github.io/#!index.md
great Video! thanks a lot. can you please provide a SANS 408 Index?
ty for this brah
Would like to see a video on Anti- forensics detection, $usnjournal etc.
sarath kumar Appreciate the suggestion, and I will add it to my list.
This. Is. Amaziiiiiiiiiiiiiiiing.
interesting!
Love it
48:35 how do we know what IP address was assigned as there were 4 different entries under interfaces?
Each interface will have its own IP address associated with it. I just happened to click on the first GUID, which was this VM's primary adapter. The others could be VPN interfaces, loopback adapters, etc.
You might have invented a word : ) " forensicating " @ 14:50
Not to take credit away from the excellent human this this youtuber is, but "forensicating" is a fairly common euphemism in DFIR community
At minute 25:05. Could there be a case in which current control set could be 1 but last known good other than 1. If yes , how is that possible?
The current could have issues, and the last known good could be other than one. This would allow someone to boot and choose the "Last Known Good Configuration" option.
Hello 13Cubed. any plans in releasing a udemy course?
No, just free TH-cam content. If you are looking for something even more in-depth, I would recommend SANS. There are numerous classes available in the DFIR curriculum.
The cheat sheet will not download, using Chrome or Firefox. Can this be fixed? Thank you.
Where can I find that dfir cheat sheet?
Go to 13cubed.com, then Downloads. You'll see it (and others) listed there.
Without taking the GCFE, can I work through all these videos and work through the Windows Forensics book by PHD Philip Polstra instead, and be fine moving into the GCFA?
Possibly, but I would recommend taking Investigating Windows Endpoints and Investigating Windows Memory. Those are comprehensive courses, and both together cover nearly everything in FOR500 and FOR508 (plus a lot of additional detail not covered in either). Both courses also include a certification attempt. See 13cubed.com for more info.
@@13Cubed Do they cover Windows 11?
@@deathofasellout Yes, absolutely.
I am unable to download register explorer, is it possible to get the link
7:00 How did you get copies of the files?
On a live system, you could use FTK Imager, KAPE, RawCopy, or anything that provides raw disk access.
went to through the SANS video. Then came back here man make things so much simpler to understand. Just a question I googled for Broadband and VPN (For user profile)do I follow I keep seeing 243(decimal) for it and 0x17 for VPN. Is this a recent change ?
Interesting - that's entirely possible. However, I cannot find any documentation about this, and my tests were not able to duplicate your findings. If you find anything more about this, please share it.
13Cubed any idea how to duplicate the broadband using mobile phone? I try to test out. Currently its showing up as wireless when I use usb tethering it doesn't show up. later ill put the link to the forum later.
Trendnet18 Pretty sure it would have to be an internal WWAN card and not tethering via cell phone to show up in that way.
13Cubed ok ill post the link to the forum later. For VPN wise doesn't seem to show up when I use openvpn. Is there a specific method that it records it in the regsitry?
Trendnet18 Try VPN services built into the OS.
Hi , I justed want to know if someone downladed a file from any of the web browser or downladed from the email what all things in the registry we need to look it out as a part of forensic investigation.
Sumeet Mishra A lot... RecentDocs, RecentFiles, UserAssist for program execution artifacts... really too many to cover here. Most are covered in this video and others in this series.
Personal Timestamp: 21:34
Seems like Forensics Wiki is no more. What happened?
I don't know -- I was wondering the same thing.
Hi, Will you be doing any on the BAM/DAM and RecentApps forensic artifacts? Trying to find some info.
Do you run your analysis environment in a VM? I want to keep my studying of this separate from my personal system as much as possible.
This was recorded years ago, so for this particular episode, yes. For current stuff, I do use VMs for Windows Server-based episodes, but I have a dedicated DFIR box that I built on which I do all of the lab work for current episodes.
Thanks a lot for the video!! What if we delete/rename ntuser.dat file?
Hello man,, I have a small question... at 10:54 you made a zoom while recording... how did you do that? what are you using for recording ??? or you did it in the editing stage ???
please answer..
Like your work
I use ScreenFlow and Final Cut Pro, but for this old video I think the only thing I used was QuickTime. macOS has a built-in zoom feature which is all I used.
@@13Cubed thank my friend ... I am still watching your videos right this moment... Learning forensics 😉