System, User, and Network Information in the Registry
User Information
This information is stored in the SAM hive. Here we can find stored user accounts, user groups, login information, password policies, and more.
Users available on the system. The path is:
C:\Windows\system32\config\SAM: SAM\Domains\Account\Users
We can view the list of active users as the values of the âUsersâ key. We can also see these names under the âNamesâ subkey of the user key discussed earlier. It will also provide us with any deleted user information. This can be very useful if an attacker has deleted any users, etc.
System Information
Most of this information is stored in the SYSTEM and SOFTWARE hives. We can find system configuration, operating system information, network information, time zone information, and more.
System configuration is stored in control sets. We found two control sets in the SYSTEM hive. Sometimes, we may find two different control sets. They are numbered â001â and â002â. The first control set refers to the configuration the system is using, and the second control set refers to the last known good configuration. It can act as a backup in case of failure. Control sets are useful when investigating system failure events or hardware failure events. We can also find the same key values as âControlSet001â in another key called âCurrentControlSetâ, which is not stored on the disk but in memory. However, Registry Explorer cannot mount this current key, but it can be used on regedit.
The location of the control sets is
C:\Windows\system32\config\SYSTEM: ControlSet001\Control
A lot of information can be found here, such as startup services, hardware profiles, driver information, etc.
The next piece of information is the operating system version. This can help us find important information such as the architecture of the computer, version number, etc. If there are vulnerabilities, this can help us find vulnerabilities specific to the version number, etc.
C:\Windows\system32\config\SOFTWARE: Microsoft\Windows NT\CurrentVersion
Network Information
We can use network information to find important details such as VPN/proxy usage, past connected networks, current TCP/IP configuration, interfaces, etc. Letâs start by finding the networks the system has connected to.
C:\Windows\system32\config\SOFTWARE: Microsoft\Windows NT\CurrentVersion\NetworkList
We can find the network SSID (whether Ethernet or wireless), the first time it connected to the PC, the last time it was active on the PC, and the MAC address of the router providing the connection. This can be powerful evidence as we have network names, timestamps, etc.
We can also view the open network shares on the system by reading the following key values:
C:\Windows\system32\config\SYSTEM: CurrentControlSet\services\LanmanServer\Shares
Information on open network shares can help us discover the attackerâs lateral movement techniques and which shares the infected machine can access.
TCP/IP configuration and interface information can be found at the following locations.
C:\Windows\system32\config\SYSTEM: CurrentControlSet\Services\Tcpip\Parameters C:\Windows\system32\config\SYSTEM: CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Shellbags
Shellbags are artifacts created when users interact with the shell (the user interface for accessing the operating system and its file system), which is the GUI-based file explorer in Windows (not to be confused with the CLI shell). Shellbags contain information about the state of folders, such as their size, position, and the items they contain. This information is stored so that folders can be displayed in the same state as when the user last interacted with them. For example, a folder view might be set to view items by size, or rearranged to display folders in a certain order in the file explorer. This information is stored in shellbags so that this configuration remains consistent.
Shellbags are stored in the registry at the following locations:
- â NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
- â NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
- â USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
- â USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Because these values exist in binary format, Windows maintains this data format for binary efficiency by reducing data size. However, we can use many tools to convert binary data into human-readable ASCII format. We will use Eric Zimmermanâs ShellbagExplorer for analysis.
Download ShellbagExplorer for SAM hive analysis
https://ericzimmerman.github.io/#!index.md
Load Active Registry
When opening the tool, it will ask for an email (optional). Go to âFileâ in the top left, then click âLoad Active Registryâ or âLoad Offline Registryâ.
It will automatically parse shellbags from the NTUSER.DAT and UsrClass.dat hives. Information about the number of entities found in the shelbags and the time taken will be provided.
This will contain all folder locations accessed in the file explorer. You can expand the âMy Computerâ folder and access all folders and drives on the computer in alphabetical order.
Shellbags Forensics
To see how shellbags work from a forensic perspective, we created a folder named âLogFilesâ on the desktop and then deleted it.
Then reload the active hives on shellbags explorer. Even though we deleted the folder, we can still see the folderâs name. It also stores the paths of accessed network shares, removable devices (USB, etc.), which is useful information. We can find out what types of data the user browsed on the network share or USB.
Note: It may take some time for shellbags to update in the registry.
Shellbags also store the names of zip files, even if the folders under the compressed files are not password protected. This can be useful if the user downloaded any malicious archives.
Shellbags can be used in various forensic environments, including investigating cybercrimes, employee misconduct, and data breaches. They can provide insights into user activities and the folders they accessed. For example, if a user accessed a folder containing sensitive files, the shellbag for that folder might contain information about the names and locations of those documents. They are particularly useful for tracking users who attempt to cover their tracks by deleting or moving files. In such cases, the information stored in the shellbag may be the only record of user activity and can provide valuable evidence.