LAB ASSIGNMENT-05

CYBER FORENSICS

Name: M Sai Sarwesh

Reg-No: 19BCI0037
Course Name: BCI4001 — Cyber Forensics and Investigation
Slot: L55+L56
Date: November 13th 2021
AIM: To explore Windows Registry and Xiao Steganography tool
Procedure:

Xiao steganography
Procedure:
1. Open Xiao Steganography.

2. Then select Add Files.

3. Click on Load Target File, and load the file which we need to embed with another
file, for example I added sample3.wav as my target file.
4. Select next to add the file, which we need to embed with target file.

5. Click on Add file and then select the file to be embed with target file, for example I
added Hacker.txt file to it.
6. Click on next and the select the Encrypt algorithms and hashing algorithms, then
add the password to it. For example, I selected RC2 encryption algorithm and MD5
hashing algorithm and gave password as 12345.

7. Wait for the confirmation message and then it asks for the location and file name
of the embed file to be saved. I saved it as encoded.wav
8. Now, lets extract the files, Select on the Extract files.

9. Load the source file, which is the embed file, it is encoded.wav

10. Click on next and then enter the password, which is 12345, and we can see the
files embedded in the target file.

11. After entering the password, click on extract file. Then give the file name and
location to save it. Then we can access the embedded file.
Conclusion:
The tool is very easy to use and runs fast and has access to encrypt with
several famous algorithms and hashing algorithms also can be used while embedding
file. But the tool is only supported for low size files. Xiao steganography is a good tool
to the beginners of steganography to understand it.

Windows Registry
1. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\ComDlg32\LastVisitedPidlMRU

2. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\ComDlg32\OpenSavePidlMRU

3. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\RecentDocs
4. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\RunMRU

5. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\TypedPaths
6. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\UserAssist
7. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run

8. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\RunOnce

9. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
10. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\RunOnce

11. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\BagMRU

12. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags
13. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

14. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable

Devices\Devices

15. Computer\HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
16. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\EMDMgmt\LP_Q__Dell Portable Hard Drive_4232871584
17. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZo
neInformation

18. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Compu
terName\ComputerName

19. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanma
nServer\Shares
20. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSyst
em

21. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\{82c65376-2838-4a8c-9cc3-aae491fa0e3f}
22. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Signatures\Managed

23. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\Home

24. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Profiles\{026078EB-6505-4993-AE83-
CA8C4BB9FF08}
25. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sess
ion Manager\Memory Management\PrefetchParameters

THANK YOU SIR