Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week 8 - Part 2: Exploring the Windows Registry with Autopsy

Objectives

  • Identify web browsing and other registry artefacts
  • Examine registry information using Autopsy

In this lab, you will analyse the Windows Registry from a forensic image using Autopsy.

Requirements

You will need:

  • Autopsy, it should be installed on all CyberLab Machines
  • The forensic image you can either:

Task 1: Analysing the Windows Registry with Autopsy

  1. Launch Autopsy and create a new case.
    If needed, refer to Week 2 – Lab 2 for detailed instructions.

  2. Select Create New Case and name the case: Clampet16.
    Choose your My Documents folder as the Base Directory.

  3. Enter a case number and add Student as the Examiner name.
    Click Finish.

  4. Choose Disk Image or VM File as the data source type.

  5. Browse to and select Clampet16.E01 as the disk image.

  6. Ensure you select the correct Time Zone for analysis.

  7. In the Configure Ingest panel:

    • Deselect all modules
    • Enable only Recent Activity
      This ensures Autopsy extracts browser, user, and registry artefacts.

  8. Once processing completes, explore the artefacts under Data Artifacts.

  9. Investigate Clampet16 → Windows and answer the following:

    QuestionAnswer
    a. What operating system was installed on the computer?
    b. What is the computer name?
    c. Who is listed as the registered owner?
    d. Under OS Accounts, who was the last user to log in?
    e. Which user account appears to be used the most? (Hint: check the Login Count)
    f. Navigate to: Windows/System32/config/system/ControlSet001/Control/Windows Identify the last recorded shutdown time. This timestamp is stored in 64-bit Hex Little Endian. Convert it using CyberChef: https://gchq.github.io/CyberChef/ - Use Swap Endianness - Remove whitespace - Convert using Windows Filetime → Unix Timestamp - Convert from Unix time to a readable date/time
    g. Navigate to: Windows/System32/config/system/ControlSet001/Control/TimeZoneInformation Identify the time zone setting.
    h. Navigate to: Windows/System32/config/system/ControlSet001/Services/Tcpip/Parameters/Interfaces Identify any network interfaces that received an IP address via DHCP. What is the DHCP-assigned IP address?
    i. List all non-system user accounts found under OS Accounts.
    j. What applications were installed by the user after installing the OS? (Check Recent Activity and installed program artefacts)
    k. Under USB Device Attached, list any removable storage devices previously connected.

Task 2: Windows Registry Deep Dive

  1. The Amcache.hve file records details about program execution.
    You can locate it at:
    Windows/appcompact/Programs/Amcache.hve
    Examine this hive using a registry viewer to identify executed applications and related artefacts.

  2. Investigate the following registry path:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
    Identify which scheduled tasks were configured to run at logon and system startup.

Best,

Ali.

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Sunday 08 March 2026 @ 11:29:45 | Commit: 26447cb