Windows registry, logging
Completion requirements
Uvod: povleci zapakirani sliki s Naredi kopijo (snapshot) slike za kasnejšo analizo brez uničevanja podatkov.
Uporabnik: dobrota
/ sirota
Spoznavanje Oken
- Zaženi regedit.
- Zaženi event viewer.
Primerjaj register v prvem in drugem navideznem truplu. Pomagaš si lahko z orodjema hivexml
in reglookup
. Datotečni format registra je opisan tukaj.
Pri analizi dnevnikov si lahko pomagaš z orodjem grokevt
- Kdo so uporabniki na sistemu?
- Kolikokrat se je uporabnik rudolf že prijavil?
- Poskrbi, da se prijave ne bodo več beležile.
- Spremeni registry, da bo log drugje.
- Odpri log na izklopljenem računalniku.
- Spremeni / dodaj vnos v event log.
Introduction: download the zip with disk images from Make a copy (snapshot) of the images for later analysis without destroying evidence.
User: dobrota
/ sirota
- Run regedit.
- Run event viewer.
Compare the registry in the first and second disk image. You can use the tools hivexml
in reglookup
. Registry file format is described here.
You can analyze system logs with the tool grokevt
- Which users are on the system?
- How many times has the user
logged into the system? - Ensure that the system does not store data about user logins.
- Modify the registry so that the log is somewhere else.
- Open the log on a mounted disk image.
- Modify / add an entry to the event log.
Last modified: Wednesday, 27 March 2019, 10:15 AM