SANS SIFT - NTUSER.DAT Forensics Challenge Walkthrough

Описание: Hello all, I decided I'd do a video on the forensics side of things before doing my next CTF/PentesterLab walkthrough. This one comes from CEIC 2015, a conference I'm not too familiar with. From what I understand SANS came up with the challenge and you can read Dan from 4n6k's writeup of it here:

http://www.4n6k.com/2015/05/forensics...

Blogspot: http://snoozesecurity.blogspot.com/
GitHub: https://github.com/snoozesecurity
Twitter:   / snoozesec  

I decided I would do the same challenge but try to use the SANS SIFT virtual machine to become more familiar with the tools it has baked in. So I did! SANS SIFT is downloadable here:

http://digital-forensics.sans.org/com...

The first problem from the challenge was unfamiliar to me so I used regshot snapshots before and after my search to figure out the registry key I needed to look for. Regshot can be found here:

https://sourceforge.net/projects/regs...

I did have to download another tool called reglookup which you can find here:

https://github.com/ecbftw/reglookup

And finally, the GUI tool on the 4n6k blog is called Registry Explorer and can be found here:

https://ericzimmerman.github.io/

Until next time!