Chapter 16 — Exercises
Thirty problems in seven groups (A–G), mixing concept checks, hands-on labs (extract from an image, parse with the Eric Zimmerman tools, build the timeline, write the report, convert a FILETIME), and judgment questions. Hands-on labs assume a practice image and the EZ/RegRipper/Autopsy toolset from Appendix J — Practice Images and Lab Setup. (answer in Appendix) = worked solution in Answers to Selected. ⭐ = stretch. Always parse extracted copies, never the live original — the original is sacred, and merely opening a hive on the evidence drive rewrites timestamps and creates new artifacts.
Group A — The registry as files, not magic
16.1 Explain why "the registry" is best described as a runtime assembly rather than a single database. Name the five machine-wide hive files in C:\Windows\System32\config\ and the root key each one mounts as on a live system. Then explain why, on a dead-box image, there is no HKEY_CURRENT_USER and no CurrentControlSet, and state exactly what you read instead — including the value you check to learn which control set was current at shutdown. (answer in Appendix)
16.2 You extract SYSTEM from your verified image and inspect the base block: the primary sequence number is 0x0A12 and the secondary sequence number is 0x0A0F. (a) What does this mismatch tell you about the hive's state, and what is the technical term for it? (b) Which two additional files must you have extracted alongside SYSTEM, and what must your parser do with them before you trust a single value? (c) Describe the concrete investigative risk of skipping this step in a case where the decisive event happened in the final hour the machine was powered on, and name a parser that handles the replay automatically.
16.3 A registry key's last-write timestamp is stored as the eight little-endian bytes a1 7c 3d c8 76 4f d9 01. (a) Assemble the 64-bit FILETIME, showing the byte-reversal explicitly. (b) Convert it to a UTC date and time using the relationship unix_seconds = (FILETIME − 116444736000000000) / 10⁷, showing each arithmetic step. (Sanity check: your answer should fall in 2023.) (c) Explain why it is essential to label the result UTC rather than local time in a report, and what error a missing time-zone note can introduce into a multi-jurisdiction timeline. (answer in Appendix)
16.4 ⭐ (a) Distinguish the regf base block from an hbin, and state in which cell type — nk (key node) or vk (value) — a key's last-write FILETIME physically lives. (b) Every registry key carries exactly one last-write time: describe one realistic scenario in which that single timestamp is an excellent proxy for a specific event (name the key), and one in which it is nearly meaningless as a per-value clock (name the kind of key). (c) State the one-sentence reporting rule that follows — the rule you would recite under cross-examination before quoting any last-write time as the time of a particular value.
Group B — USB device history and user attribution
16.5 Draw, from memory, the three-key correlation chain that takes you from "a USB mass-storage device was connected to this computer" all the way to "this specific user account mounted this volume at this time." Name the exact key at each step and the hive file each one lives in, and identify which step provides the device serial, which provides the volume GUID, and which provides user attribution. (answer in Appendix)
16.6 While parsing USBSTOR you find two devices. Device 1's instance ID is 4C530001234567890123; Device 2's is 7&1c2e3f4&0. (a) Which device can you reliably track across multiple machines, and how do you tell from the instance ID alone? (b) A colleague wants to assert that Device 2 "was later seen on the suspect's home laptop." Can the instance ID support that claim — why or why not? (c) Write the exact sentence you would put in a report to disclose the limitation for Device 2 without over- or under-stating it.
16.7 Lab — recover the USB story. On a practice image, identify the NTFS partition (mmls), then use icat/fls (or a read-only mount) to extract SYSTEM and its .LOG1/.LOG2 files. Parse USBSTOR with RECmd (or RegRipper's usbstor/usbdevices plugins) and, for one device, report: vendor, product, the instance-ID serial, and the first-install / last-arrival / last-removal FILETIMEs from the Properties\{83da6326-…} subkeys. Then cross-check your first-connect time against the plaintext C:\Windows\inf\setupapi.dev.log. Record the SHA-256 of every file you extracted. Do the two sources agree, and what would a disagreement between them suggest?
16.8 Lab — finish the attribution. Continuing from 16.7, you now want to prove which user mounted the device and when. (a) Which per-user hive do you extract, and which key (full path) do you parse? (b) What value must match between the SYSTEM evidence and this per-user evidence to bind the device to the user? (c) What does the per-user key's last-write time approximate, and what is the one thing it does not tell you? (d) If two different users' hives each contain a MountPoints2 entry for the same volume GUID, what — precisely — have you proven and not proven?
16.9 ⭐ A user often gives a thumb drive a friendly label like JR-PERSONAL or BACKUP. (a) Name the registry location (and any plaintext device-name source) that preserves that human-chosen volume name. (b) Explain in two or three sentences why such a string can carry more persuasive weight with a jury than a 20-character device serial — while still being weaker technical evidence of identity than the serial. (c) Tie your answer to the distinction between persuasiveness and proof, and to the examiner's duty not to let a memorable detail outrun the data.
Group C — Event logs: the system's signed statements
16.10 Match each Windows event ID to its meaning: 4624, 4625, 4634, 4648, 4672, 4720, 4726, 4732, 1102, 7045, 6008. For 4624, also state where the logon type is recorded and why that field matters more than the bare event. Finally, give the .evtx file signature and the per-record marker an examiner can use to recognize an event-log fragment carved from unallocated space. (answer in Appendix)
16.11 Interpret this sequence from a single workstation's Security.evtx: dozens of 4625 events with logon type 3 across a Saturday night, then one 4624 with logon type 10 at 03:11 from an external-looking source address, immediately followed by a 4672. (a) Tell the story in one sentence. (b) Name the access method the type-10 logon implies. (c) Explain what the 4672 adds. (d) Name the single follow-up artifact family you would check next to learn what the intruder then ran.
16.12 Lab — parse and filter. Extract Security.evtx from a practice image, normalize it with EvtxECmd into CSV, and load the CSV in Timeline Explorer. Filter EventId == 4624 and split by logon type. Report the count of type 2 (interactive) versus type 10 (RDP) logons, and the earliest type-10 timestamp. Then state, in one sentence each, (a) why you ran the parser against an extracted copy rather than the live file on the evidence drive, and (b) why EvtxECmd plus Timeline Explorer beats clicking through Event Viewer for a case with thousands of logons.
16.13 Explain why event-log timestamps are generally a stronger time anchor than the file timestamps Explorer displays. (a) When a file's Explorer-shown timestamp disagrees with an event-log timestamp for the same activity, what is your default hypothesis, and which artifact does that hypothesis tell you to consult next? (b) Why does this property make the event log especially valuable in a timestomping case? (c) How do 6005/6006/6008 events let you bound the windows during which interactive activity could even have occurred?
16.14 A surviving System.evtx shows a 7045 (service installed) named WinDefendUpd with an ImagePath of C:\Users\Public\Libraries\svc.exe, plus a 7036 "Running" a moment later. (a) Why is the location of that binary, independent of its name, a strong persistence indicator? (b) Which registry key corroborates the 7045 event, and which two values within it would you cite? (c) Name two ImagePath locations you would consider normal for a legitimate Windows service, so your report can contrast the suspicious case against a baseline.
Group D — Execution evidence: present vs. executed
16.15 Build the execution-artifact table. For each of Prefetch, Amcache, ShimCache, UserAssist, and BAM/DAM, state (a) whether it indicates execution or merely presence, (b) the single most important "gotcha" an examiner must disclose, and (c) whether it is machine-wide or per-user. Then compress the whole table into the one sentence you could say on the witness stand to separate the two categories. (answer in Appendix)
16.16 You find CCLEANER64.EXE-A1B2C3D4.pf with a parsed run count of 3. (a) State precisely what the existence of this file proves and what it does not prove. (b) What does the eight-hex-character suffix (A1B2C3D4) encode? (c) Why would the same executable run from C:\Program Files\… and from E:\ produce two different .pf files — and how is that itself a useful signal in an exfiltration case? (d) Name three facts PECmd recovers from inside the .pf beyond the run count, and explain what the list of referenced files/directories can reveal about what a tool did.
16.17 A junior colleague finds a ShimCache (AppCompatCache) entry for stage.exe carrying the timestamp 2024-02-02 14:07:11 and writes: "stage.exe executed at 14:07:11 on 2 February 2024." (a) Identify the two distinct errors — one about what the timestamp is, one about what ShimCache proves on Windows 10. (b) Rewrite the sentence so it is defensible. (c) Explain the timing subtlety about when ShimCache is flushed to the registry, and why a triage memory capture from Chapter 15 — Live Response and Triage might contain ShimCache entries the on-disk hive lacks.
16.18 ⭐ Lab — hash-based identification. Amcache.hve is itself a registry hive. Extract it and parse with AmcacheParser. Choose one entry under InventoryApplicationFile and record its SHA-1 hash, full path, file size, and PE compile (link) timestamp. Then describe two distinct investigative uses of that SHA-1 — one that works even though the file may have been deleted from the system, and one that links the same tool across two separate machines. Finally, state in one sentence why Amcache is presence, not execution, evidence, and how you would pair it with a second artifact to claim execution.
16.19 You strongly suspect a particular tool ran, but no prefetch file for it exists. (a) Give three legitimate reasons the absence of a .pf is not proof the program never executed. (b) For at least one reason, name the registry value (and its key path) that controls prefetch behavior. (c) How would you phrase a finding about that tool's execution if Prefetch is unavailable but you do have a UserAssist and a BAM entry for it — and what makes that phrasing defensible where "no prefetch, so it never ran" would not be?
Group E — File and folder access, and deletion
16.20 A LNK shortcut file has a fixed header. State the first four bytes (and the decimal value they encode), and the Link CLSID that immediately follows. Then list five distinct facts a parsed LNK (via LECmd) can give you about a target file that lived on removable media, and explain which of those five is the one that proves the file was opened from a device no longer present — and how you would match it to the USBSTOR/prefetch evidence to bind a device, a user, and a file together. (answer in Appendix)
16.21 An AutomaticDestinations Jump List file begins with the bytes D0 CF 11 E0 A1 B1 1A E1. (a) Name the container format those bytes identify. (b) Inside, what is the DestList stream and what three pieces of information does it record per entry? (c) What does the filename's leading AppID tell you, and why is that attribution useful when several applications can open the same file type? (d) Which EZ tool parses these, and how do AutomaticDestinations and CustomDestinations differ?
16.22 Lab — folders that no longer exist. Extract UsrClass.dat for a user and parse the ShellBags with SBECmd (or ShellBags Explorer). (a) Find a browsed path on a drive letter other than C: (removable or network); state exactly what that entry proves and the one crucial thing it does not prove. (b) Why does this artifact survive even after the device is unplugged and carried away? (c) Name the two keys in UsrClass.dat where the folder tree (BagMRU) versus the view settings (Bags) live, and explain what a BagMRU node's embedded shell item encodes for a filesystem folder.
16.23 Parse a $Recycle.Bin` `$I record by hand. The first eight bytes are 02 00 00 00 00 00 00 00; the eight size bytes at offset 0x08 are 00 60 1E 00 00 00 00 00; the deletion-time bytes at offset 0x10 are 9B 41 5A 2A 7C 4F D9 01. (a) Give the header version and which Windows generations use it (and how version 1 differs in how it stores the path). (b) Compute the original file size in decimal bytes. (c) Convert the deletion FILETIME to UTC (it should land on 2024-03-16). (d) Explain why the SID in the C:\$Recycle.Bin\<SID>\ folder name is itself evidence. (answer in Appendix)
16.24 ⭐ On a deleted item, the $R` content file has been overwritten, but the `$I metadata record survived intact. (a) State precisely what you can still report from the $I` alone. (b) Map the `$I/$R` pair onto the book's dual lens: which half speaks to the 💾 **recovery** technician's job, and which half speaks to the 🔍 **forensic** examiner's job? (c) Give one realistic case in which the surviving `$I alone — with no recoverable content — is still a decisive finding, and explain how its deletion timestamp can corroborate a separate execution artifact.
Group F — Anti-forensics, the timeline, and the report (anchor case #2)
16.25 For a file on the suspect's Desktop, Explorer shows a Modified date of 2022-02-11 10:00:00, while the MFT's $FILE_NAME` attribute records *Created* `2024-03-15 18:58:13`. (a) Which set of timestamps is authoritative and why? (b) What category of tool produces this kind of contradiction? (c) Name at least two additional sources you would cite to corroborate the truthful timeline rather than resting on a single attribute. (d) Besides a wildly older `$SI, name one other tell-tale of timestamp manipulation an examiner looks for (hint: sub-second precision). (answer in Appendix)
16.26 Lab — build the timeline. You have extracted and parsed the following artifacts for user jrivera on image WS-ENG-04.E01. Assemble them into a single sourced, chronological timeline (UTC), with the artifact named in brackets after each line, then write a two-to-three-sentence findings paragraph that keeps finding and inference rigorously separate:
USBSTOR last-arrival ......... Fri 18:51 (SanDisk Cruzer Glide, SN 4C53...0123)
MountPoints2 last-write ...... Fri 18:51 (jrivera NTUSER.DAT, volume GUID {9f3a...})
ShellBags path browsed ....... Fri 18:55 (E:\ProjectArchive\TurbineHousing\)
$FILE_NAME created ........... Fri 18:58 (C:\...\Desktop\TurbineHousing_v7.sldprt)
LNK + Jump List opened ....... Fri 19:04 (target on E:, volume serial 9C2A-77F1)
USBSTOR last-removal ......... Fri 19:33
$I deletion record ........... Sat 09:12 (TurbineHousing_v7.sldprt + 1 sibling)
CCleaner prefetch, run #3 .... Sat 09:14 (wipe-free-space enabled)
Browser history ends ......... Sat 09:14
16.27 ⭐ Write the report. Draft a 150-word Findings section answering counsel's question — "Did jrivera copy proprietary CAD files to a personal device before resigning?" — that a competent cross-examiner could not impeach. Cite specific artifacts by name and source hive/file, attribute every per-user artifact to the correct account, and state at least two limitations explicitly (for example, browsed-vs-copied, or opened-vs-exfiltrated). Keep findings strictly separate from inferences, and assert no motive. Then list the two sentences from your draft that an opposing expert would attack first, and tighten them.
16.28 The SOFTWARE\Piriform\CCleaner key exists with "wipe free space" enabled, and a CCLEANER64.EXE-…pf prefetch shows run count 3, last run Saturday 09:14. (a) In your own words, explain the chapter's "anti-forensics defeats itself" lesson. (b) Name three distinct artifacts that a typical "PC cleaner" fails to erase — including the one the cleaner creates merely by running. (c) Explain how a gap — browser history that simply ends at 09:14, and MRU lists empty but stamped with a 09:14 last-write — can itself be dated evidence that something was wiped at that moment rather than never used.
Group G — Judgment and the progressive project
16.29 Counsel asks you to write the sentence "the employee stole the files." Your evidence: a LNK proving a .sldprt file was opened from drive E: (removable, serial 9C2A-77F1); ShellBags proving E:\ProjectArchive\TurbineHousing\ was browsed; and USBSTOR/MountPoints2 proving the device was connected and mounted by this user in a tight time window. You have no write-event proving the file was copied to the device. (a) What can you ethically and defensibly assert? (b) What must you decline to assert, and how do you phrase the gap? (c) Tie your answer to the theme that the absence of a trace is itself a trace — and to that theme's limits, so you neither overclaim nor dismiss strong circumstantial correlation. (answer in Appendix)
16.30 Progressive project — the Windows-artifact layer. Add this chapter's evidence to your Forensic Case File. (1) Extract SYSTEM, SOFTWARE, SAM, each user's NTUSER.DAT and UsrClass.dat, and Amcache.hve together with their transaction logs, plus the .evtx logs and the Prefetch\ directory; hash every extracted file into your chain-of-custody worksheet (Appendix F). (2) Parse with the EZ tools (RECmd, PECmd, AmcacheParser, AppCompatCacheParser, LECmd, JLECmd, SBECmd, RBCmd, EvtxECmd), cross-checking one load-bearing finding with RegRipper or Autopsy. (3) Answer the four case questions — which devices, by which user, when? / what executed vs. was merely present? / what files and folders were accessed, including from removed devices? / any anti-forensic activity (wiped-but-dated MRUs, a cleaner's prefetch, $SI`/`$FN contradictions, a 1102 log clear)? — citing the exact artifact behind each. (4) Save the CSV outputs and a sourced Windows-artifacts timeline into the case-file folder, flagging every finding whose limit you must state (presence-vs-execution, browsed-vs-copied, last-write caveats). List the files you extracted and their hashes in your submission; you will merge this timeline into the master in Chapter 21 — Timeline Analysis.
Self-check. You have mastered this chapter when you can take a raw Windows image and, without guessing, answer four questions with cited artifacts — which devices, which user, what ran, what was accessed — and when you instinctively separate execution from presence, browsed from copied, and
$FILE_NAME` truth from `$STANDARD_INFORMATIONforgery, stating every limit out loud. If you can build the anchor-case timeline in Group F and defend each line under imagined cross-examination, you are ready for Chapter 17 — macOS and Linux Forensics, where the same method meets systems that keep no registry at all.