CST 2580

Digital Incident Scene Investigation

&
Analysis
Lecture 15

Examination
System Activity

David Neilson
This Week
• Examination
• System time
• Windows Registry
• Logs
• Attached devices
• Pagefile.sys & Hiberfile.sys

© Middlesex University This week | 2

System vs User Activity

• Activity on a typical digital system consists of two

major components;
• System Activity
• User Activity that takes place in the background without
the direct input or knowledge of the user
• E.g. system registry and config, event logs

• User Activity
• Activity that is related to the actions of specific users
• Media files, communication,

© Middlesex University Presentation title | 13

System Information
• Most forensic software suites are able to produce a
summary of basic system information which would be
regarded to be of interest and value to any case
• The data that they show can be regarded as key
identifiers of the system from which you are examining
• Data is usually extracted from the relevant registry keys
• Therefore it is a good idea to include them in any forensic
report.
• Can also have value for future work if case is continued or
reopened
• This data can be used in larger investigations to also
show the footprint of the suspect device throughout the
internet or cloud connections.
© Middlesex University Presentation title | 3
System Information – User Accounts
• The software will also usually create a list of user
accounts that can be found on the system.
• They provide details of the the user accounts and
permissions
• SID – Security Identifier
• Login Name
• Creation timestamp
• Number of logins
• Each one of these user accounts should be processed to
ensure that all locations can be processes
• This will allow recovery of the USER.DAT file which is the
registry file tracking a user’s activity.
• There is one in each user account.
© Middlesex University Presentation title | 4
System Account Manager

© Middlesex University Presentation title | 5

System Time
• Timestamps reported by the file system are dependent
upon the file system where the data is stored
• FAT file systems records the tie provided by its host
system
• Commonly referred to as local time
• NTFS uses Coordinated Universal Time – UTC Time
• Primary method by which world regulates and agrees on
current time
• Is set as the same as GMT and is not affected by daylight
saving time
• Widely used e.g. weather, aviation, internet protocols

© Middlesex University Presentation title | 10

World Time Zones

© Middlesex University Presentation title | 11

Establish local time
• So how can we establish what the local time is?
• Usually case date will be in same time zone to the
examination so this will be known

• NTFS uses these time zones as offsets which are stored

as a value in a registry key
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Time Zones
• This offset is then used to translate the UTC times in to
local times for the system.

© Middlesex University Presentation title | 12

Windows Registry
• The windows registry is a collection of files and
configuration settings that are essential to the smooth
running of the host OS
• What type of information is stored here?
• System Information e.g. OS version, settings etc
• User information e.g. user accounts, permissions
• Application information e.g. installed apps and config
settings
• Activity History e.g. user and system activity, MRU lists
• Each key as a value called last write time – This can be
critical in establishing when the value was changed

© Middlesex University Presentation title | 14

Registry Files
• System Registry Files
• Location = \Windows\System32\config\
• Main Keys = SAM, Security, Software, System

• User Registry Files

• Current user data is used when viewing registry natively.
• Win XP - Location = \Documents and Settings\{User}NTUSER.DAT
• Win 7/8/10 Location = \Users\{user}\NTUSER.DAT

© Middlesex University Presentation title | 15

Main files
• SAM
• Security Accounts Manager – contains details of all user accounts
and hashed passwords – some tools allow recovery
• Security
• Relates to security of system – enforces security policies
• Software
• Application settings and Windows settings. Mostly used by
application and system installers
• System
• Details of Windows system setup, connected devices etc
• User.data
• User settings, MRU lists etc

© Middlesex University Presentation title | 16

Registry Structure
• Consists of 5 main hives;
• .HKEY_CLASSES_ROOT (HKCR): This hive stores information
about drag and drop rules, program short cuts, the user interface,
and related items.
• HKEY_CURRENT_USER (HKCU): It stores information about the
currently logged on user including desktop settings, user folders,
etc.
• HKEY_LOCAL_MACHINE (HKLM): This can also be important to a
forensic investigation. It contains those settings common to the
entire machine, regardless of the individual user.
• HKEY_USERS (HKU): It has profiles for all the users including their
individual settings.
• 5.HKEY_CURRENT_CONFIG (HCU): This hive contains the
current system configuration.

© Middlesex University Presentation title | 17

Main Hives
• The main hives contain a vast list of the Keys and
Subkeys relating to different parts of the OS

© Middlesex University Presentation title | 18

Registry Viewer
• Can be accessed from native Windows system
• From start menu type regedit as I will show

© Middlesex University Presentation title | 19

Devices
• The registry also holds information about devices which
have been connected to machine
• These can be invaluable as it allows connections to be
made between different evidential items
• If we were examining a suspect device and had seen that
a USB with a serial number had been entered into the
machine
• If the actual device is then recovered it allows us to verify
any findings about the device that were discovered
through analysis of the image.
• It can also make investigators aware of other devices
which they need to look out for and which may need to be
recovered
© Middlesex University Presentation title | 6
Connected Devices Location
• The following list shows the registry location for connected
deviced
• SYSTEM\CurrentControlSet\Enum\USBSTOR
• SYSTEM\CurrentControlSet\Enum\USB
• SYSTEM\CurrentControlSet\Enum\SCSI
• SYSTEM\CurrentControlSet\Enum\HID (peripherals)
• It is also possible to find the instance of the first time the
device was plugged in by viewing
• C:\Windows\setupapi.log in Windows XP
• C:\Windows\inf\setupapi.dev.log in Windows 7 onwards

© Middlesex University Presentation title | 7

Most Recently Used Lists - MRU
• A lot of suites also generate what are called Most
Recently Used lists (MRU)
• Registry keeps record of most recently used applications,
documents, URL’s, Search terms etc
• Tend to keep only the most recent 10 items but these are
of high interest to the examiner.
• It represents the most recent activity on the suspect
device since it was seized and has been imaged.
• As each new item enters the list the oldest will leave
meaning it is only useful for recent history.

© Middlesex University Presentation title | 8

Log Files
• Log files can provide a wealth of useful information
• Can also be extremely difficult to read and interpret – poor
config can make this worse
• Amount of data can be overwhelming, but this can make it
hard to remove events for an attacker
• Two main types of log file to be found
• System Logs
• E.g. those created by Operating System e.g. installation records,
event logs
• Application Logs
• E.g. created through use of other software – related to specific
activity of the software

© Middlesex University Presentation title | 20

Event Logs

• Windows Operating System uses event logs to

maintain a record of system activity
• Three main log files all with .evt (WinXP) or .evtx
extension;
• Application
• Security
• System
• Locations
• Windows XP - \Windows\system32\config
• Windows Vista/7/8/10 - \Windows\system32\winevt\Logs

© Middlesex University Presentation title | 21

Event Logs
• Large number of events are stored
• Each type of event has an Event ID
• System – SysEvent
• Keeps log of events logged by the OS
• E.g. hardware changes, device drivers, other system changes
• Security – SecEvent
• E.g. Logon/Logoff activity
• Events logged are determined by system audit policy
• Application – AppEvent
• Significant events by applications using Windows API
• E.g. Application failure

© Middlesex University Presentation title | 22

Windows Event Viewer
• Easily found in Control panel > Administrative tools

© Middlesex University Presentation title | 23

 Event Log ID’s
• Event logs make use of a large number of Event ID’s based
on the type of activity
• Examples - System
• System startup
– XP = #6009 / Win 7/8/10 = #12
• System Shutdown
– XP = #6006 / Win 7/8/10 = #13
• Examples – Security
• Login attempt successful = XP = #528 / Win 7/8/10 = #4648/4624
• Logoff attempt unsuccessful = XP =#538 / Win 7/8/10 = #4647/4634
• Logon failure. XP = #529-537, 539 / Win 7/8/10 = #4625
• Password change XP = #627 / Win 7/8/10 = #4723/4614

© Middlesex University Presentation title | 24

Additional research
• Shellbags
• User Assist
• Application logs

© Middlesex University Presentation title | 9

Apple Mac
• The Console application can be used to view event logs
on an Apple Macbook

© Middlesex University Presentation title | 25

Disadvantages

• The event logging service can be disabled in OS

• Data can be modified e.g. Timestamps,
usernames, computer name
• Can be transferred from one machine to another
• Timestamps are recorded using local system
clock so can be inaccurate

© Middlesex University Presentation title | 26

Application Logs
• Logs which are specific to individual applications
• Dependent on specific application in use and the logging
configuration
• FTP Logs
• Web server logs
• Database Logs
• Backup logs
• Anti-virus logs
• Many are text based
• Careful with timestamps – date values may be in
American date format e.g. mm/dd

© Middlesex University Presentation title | 27

Other locations
• Two very important files on Windows systems;
• Hiberfile.sys
• Stores the content of RAM when the device goes into hibernation
• Ensures that system is returned to same state as when it was left
• Pagefile.sys
• Is used as a space for virtual memory
• When contents of RAM are full and in use then this space will be
use.
• These are an extremely valuable resource and could
contain much forensically useful information such as
passwords in plaintext
• Stored as hidden files on Windows systems and their
location is the root directory
© Middlesex University Presentation title | 28
This Weeks Lab Session
• Registry Tutorial
• Event Logs
• User Accounts

© Middlesex University Presentation title | 29

Next Week
• Email analysis

© Middlesex University Presentation title | 30