Windows Forensics Part 1 | Registry Forensics | TryHackMe

📄 Cyber Security Certification Notes & Cheat Sheets
https://buymeacoffee.com/notescatalog...
🚀(2nd link) Cyber Security Certification Notes & Cheat Sheets
https://shop.motasem-notes.net/collec...
💡Cyber Security Notes | Membership Access
https://buymeacoffee.com/notescatalog...
🧩Cybersecurity Direct Coaching & Mentoring
https://shop.motasem-notes.net/collec...
🔥Download FREE Cyber Security 101 Study Notes
https://buymeacoffee.com/notescatalog...
🧠 Get Strategic cyber security and tech insights weekly to your email by joining my newsletter below
https://buymeacoffee.com/notescatalog...
📊Blog Writeups
https://www.motasem-notes.net
****
In this video walkthrough, we covered the process of conducting computer forensics under the context of examining a Windows operating system. We explained what are artifiacts and how to collect them. Additionally we mentioned some tools used to perform data acquisition and analysis. We also covered a practical scenario to demonstrate the process of analyzing an image of cloned disk and where to find related artifacts in the Registry. This was part of TryHackMe Windows Forenscis 1 SOC Level 1 track.
******
Writeup
https://motasem-notes.net/windows-for...
TryHackMe Windows Forensics Part 1
https://tryhackme.com/room/windowsfor...
********
Store
https://buymeacoffee.com/notescatalog...
Patreon
  / motasemhamdan  
LinkedIn
[1]:   / motasem-hamdan-7673289b  
[2]:   / motasem-eldad-ha-bb42481b2  
Instagram
  / motasem.hamdan.tech  
Google Profile
https://maps.app.goo.gl/eLotQQb7Dm6ai...
Twitter
  / manmotasem  
Facebook
  / motasemhamdantty  
TikTok
  / motasemhamdan0  
******
00:00 - Introduction to Windows Forensics
00:15 - What Are Artifacts in Forensics?
01:57 - Importance of Timestamps in Analysis
02:49 - Live vs. Offline Analysis
04:09 - Data Acquisition & Imaging Tools
05:14 - Constructing Evidence with Timeline
06:00 - Ensuring Integrity with Hashing
06:42 - Introduction to Windows Registry
07:35 - Registry Structure: Keys, Subkeys, Values
08:44 - Overview of Main Registry Hives
10:03 - Differences Between Hives (Users, Machine, etc.)
10:57 - Tools for Registry Imaging (FTK, Autopsy)
12:08 - Registry Keys for Forensics (Logins, USBs)
13:24 - Mapping Keys to Specific Artifacts
14:02 - TryHackMe Scenario Introduction
15:05 - Analysis Tools (RegRipper, Registry Explorer)
16:27 - Scenario Setup in Registry Explorer
17:17 - Locating Registry Hives in Disk Image
18:08 - Loading Registry Hives for Analysis
19:04 - Finding User Account Information in SAM Hive
22:22 - Counting Created User Accounts
23:22 - Identifying Accounts Never Logged In
24:10 - Finding Password Hints
25:21 - Accessing File Change Logs
25:59 - Locating Recent File Access (RecentDocs Key)
27:05 - Loading User Hive (NTUSER.DAT)
28:06 - Viewing Recent Documents Accessed
29:22 - Tracing Program Executions (UserAssist)
30:40 - Verifying Execution Path of Python Installer
31:34 - Investigating USB Device Connections
32:14 - Loading SYSTEM Hive for USB Analysis
33:17 - Navigating to USB Registry Entries
34:13 - Finding Friendly Name of USB Device
35:29 - Correlating Disk ID with USB Device
35:57 - Determining Last USB Connection Timestamp
36:09 - Conclusion & Wrap-Up