DIGITAL FORENSIC REPORT

at
Categories
Tags

Examine an HKCU hive for evidence of unauthorized access. Read the scenario carefully, as you may consider it interview notes with your client. This is often one of the first real examination tasks you’re likely to encounter and will be a test of your ability to make inferences, be thorough in your search, and document your examination.

Instructions
You’ll need to use the following resources to complete the assignment:

Investigation 01 Sample Evidence located in the Virtual Lab
A registry analysis tool, such as Registry Explorer by Eric Zimmerman located in the Virtual Lab
After reading the Investigation 01 scenario, open your forensic tool and import the sample evidence into the tool. Begin a forensic report and begin your search. As you do, be sure to take special note of these answers to these questions. These questions represent those that need to be answered to arrive at a logical conclusion to this scenario. They are provided here, but in the future, you will be required to decide these questions on your own.

 

Scenario
This scenario takes place circa 2012. You were recently contacted by Nick Fury of S.H.I.E.L.D. to investigate a suspected corporate espionage incident. They have reason to believe that S.H.I.E.L.D. was infiltrated by an enemy spy who used the generic vibranium account to access and exfiltrated sensitive information from an endpoint connected to the SHIELD network with the hostname of nromanoff. Nick Fury believes that the culprit may be a recently terminated employee named Jim Tandy. Jim was recently fired under suspicion of leaking confidential information to Hydra. Your job will be to examine the NTUSER.DAT file containing the HKCU registry hive for the vibranium user to determine the answers to the following questions.

Questions
What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
How many times did the vibranium account run excel.exe on the nromanoff system?
When was this program last run?
What is the most recent Typed URL in the vibranium NTUSER.DAT?
List the last five files that were accessed, in order, with the time they were accessed.

 

Sample Solution

Objective: Analyze the HKCU registry hive for the “vibranium” user on the “nromanoff” system to investigate potential unauthorized access and data exfiltration.

Tools:

  • Registry Explorer by Eric Zimmerman (provided in Virtual Lab)
  • Investigation 01 Sample Evidence (provided in Virtual Lab)

Procedure:

  1. Import NTUSER.DAT: Launch Registry Explorer and import the “NTUSER.DAT” file from the Investigation 01 Sample Evidence, representing the HKCU hive for the “vibranium” user.

  2. Windows Search History:

    • Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Windows Search
    • Examine values under the “Search” key. The most recently searched keyword will be the last value name (e.g., “value name” = “TopSecretPlans”).

  3. Excel Usage:

    • Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
    • The “Excel.exe” value will indicate how many times excel.exe was run.
    • The timestamp associated with the value will reflect the last time it was run.

  4. Typed URLs:

    • Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs
    • Examine the value names under the “TypedURLs” key. The most recent URL will be the last value name.

  5. Recent Document Access:

    • Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    • Examine the value names under the “RecentDocs” key. These represent the most recently accessed files in the order they were accessed. The timestamp associated with the value will reflect the access time.

Analysis:

1. Most Recent Keyword Searched:

By examining the values under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Windows Search, we can identify the most recent keyword searched using Windows Search.

2. Excel Usage:

The number of times “excel.exe” was run and the last run time can be determined by examining the values and timestamps under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU.

3. Most Recent Typed URL:

The most recent URL visited by the “vibranium” user can be found by examining the value names under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs.

4. Last Five Accessed Files:

The last five accessed files, along with their access times, can be identified by examining the value names and timestamps under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.

Note: Due to the limitations of the sample evidence being a static file, it’s not possible to provide specific results like file names or timestamps. However, the provided steps outline the process to uncover this information during an actual forensic examination.

Deliverables:

The final report should include:

  • Details of the forensic process undertaken.
  • Findings for each of the questions investigated, including the most recent search term, excel.exe usage statistics, most recent URL, and a list of the last five accessed files with timestamps (if possible).
  • Any additional observations or potential indicators of unauthorized access based on the registry entries.

Disclaimer: This analysis simulates a forensic examination and should not be considered a substitute for a professional investigation.

This question has been answered.

Get Answer