hacking case #2~11, Registry

https://www.cfreds.nist.gov/Hacking_Case.html

#2~11 번은 레지스트리 정보를 통해 확인한다.

---

1. Registry 추출하기

2. ControlSet 확인하기

3. TimeZone 확인하기

4. OS information 확인하기

5. Account List 확인하기

6. Computer Name 확인하기

7. Last Shutdown 확인하기

8. Network 확인하기

1. Registry 추출하기

---

https://holywaterkim.tistory.com/12 의 Winhex 에서 레지스트리 추출하기 참고

HKEY_LOCAL_MACHINE\BCD00000000 {Boot Partition}\Boot\BCD

HEKY_LOCAL_MACHINE\COMPONENTS %SystemRoot%\System32\Config\COMPONENTS

HEKY_LOCAL_MACHINE\SYSTEM %SystemRoot%\System32\Config\SYSTEM

HEKY_LOCAL_MACHINE\SAM %SystemRoot%\System32\Config\SAM

HEKY_LOCAL_MACHINE\SECURITY %SystemRoot%\System32\Config\SECURITY

HEKY_LOCAL_MACHINE\SOFTWARE %SystemRoot%\System32\Config\SOFTWARE

HEKY_LOCAL_MACHINE\HARDWARE Volatile

HKEY_USERS\<SID of local service account> %SystemRoot%\ServiceProfiles\LocalService\NTUSER.DAT

HKEY_USERS\<SID of network service account> %SystemRoot%\ServiceProfiles\NetworkService\NTUSER.DAT

HKEY_USERS\<SID of username> %UserProfile%\NTUSER.DAT

HKEY_USERS\<SID of username>_Classes %UserProfile%\AppData\Local\Microsoft\Windows\Usrclass.dat

HKEY_USERS\.DEFAULT %SystemRoot%\System32\Config\DEFAULT

[주의] Win XP 에서의 NTUSER.DAT, UsrClass.dat 의 위치는 Win7 등과 다르며 다음과 같다.

2. ControlSet 확인하기

---

HKEY_LOCAL_MACHINE\SYSTEM\Select 의 value Current : 1 이므로, ControlSet001 이 시스템의 설정이다.

3. TimeZone 확인하기

---

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

DaylightName : Central Daylight Time(UTC -6)

DaylightBias : -60 minutes (+1 hour UTC)

https://www.timeanddate.com/time/zones/

#4. What is the timezone settings? Central Daylight Time(UTC -5)

4. OS information 확인하기

---

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

#2. What operating system was used on the computer? Microsoft Windows XP

#3. When was the install date? UNIX time 1092955707 (Thu, 19 August 2004 17:48:27. -0500)

#5. Who is the registered owner? Greg Schardt

[DCode] 를 통해 Unix time 을 해석한 결과.

5. Account List 확인하기

---

https://holywaterkim.tistory.com/15 참고.

\HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\[하위 키]

[\HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users]

[주의] 위 그림에서의 Created On 값은 Timezone apply 되지 않은 상태이다.

#9. How many accounts are recorded (total number)? 5

#10. What is the account name of the user who mostly uses the computer? Mr. Evil 

#11. Who was the last user to logon to the computer? Mr. Evil 

[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{하위 키}]

S-1-5-18 : System Profiles

S-1-5-19 : Local Service

S-1-5-20 : Network Service

S-1-5-21-{~}-1003 : Mr.Evil

6. Computer Name 확인하기

---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

#6. What is the computer account name? N-1A9ODN6ZXK4LQ

7. last shutdown 확인하기

---

HKLM\System\ControlSet001\Control\Windows

#8. When was the last recorded computer shutdown date/time? C4-FC-00-07-4D-8C-C4-01 (Fri, 27 August 2004 10:46:33 -0500)

8. Network 정보 확인하기

---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

# 7. What is the primary domain name? 확인되지 않는다.