Hard Disks and File Systems Easycleaner Regshot Lab

Easycleaner is a registry analysis tool that tracks what the user has done to remove/delete files from their system. In this lab, you’ll see how to use Easycleaner Regshot to capture a snapshot of the registry before files are deleted, as well after, but more importantly, it teaches you how you have to work and tweak the tool to accommodate different scenarios and make sure you have the correct permissions to conduct the desired analysis. You’ll see what the output report says in contrast to the original registry capture and learn what it is you need to do as a process in order to determine, verify and assess data captured in the analysis correctly, and why you cannot make assumptions based upon a perceived assessment result. [toggle_content title="Transcript"] Hey, Leo Dregier here. I want to show you guys a cool, uh, little scenario. Let’s pretend that a user is trying to clean their tracks with Easy Cleaner, and let’s do some forensics analysis with Regshot, okay? So, I’m going to open up the Programs, Run, take a snapshot of the Registry, give this, uh, a chance to run so we have an official baseline to go with too. I don’t really care where the output is because I’m just going to go first shot, second shot, and then compare the two. So, now we have a baseline. Let’s go to, um, Easy Cleaner, okay? Let’s Run the program, okay? Yeah, uh, that’s actually the Install Wizard. I want the program, so let’s do Easy; there we go. I already have it installed. Finish, okay? We’re going to go into the Registry here. We’re going to find a bunch of stuff. I’m just going to let this go. A handful – we’re not going to let it run the full registry scan, but let’s get enough hives in here to see if we can’t compare on our baseline. A dozen or two should work fine for the test. Okay, um, we should have enough now. Um, so let’s select all the files; let’s delete all of the files. Are you sure you want to delete 44 entries? So we should see approximately 44 entries, um, in, in our list. So it looks like I might have to delete these a few times. So, Delete All, Delete All, okay. Aborted 44 invalid entries; it says that there not entries, but we’ll see. So let’s see if the user actually can clean their tracks. Try to delete them a few times. Now let’s take our second shot of the Registry and compare the files. Error Creating the File. Great. So I’ve effectively switched over to the html document, and I’m going to compare them this way – and Error Creating the File, so let’s go ahead and change the location. I’m going to go to a directory that we have full control over, so I’m just going to use the Labs directory, and then let’s go ahead and clear all of these. Let’s take another baseline. Now these are the types of things that you have to do. You have to play with the scenario and get it to work. So just because you want stuff to work on the first time, doesn’t always mean that it’s going to work on the first time. So let’s go ahead and find some entries, okay? Stop them here. Delete the nine entries. It says nine invalid entries. Hmm. So let’s go back over here and take our baseline and compare the files. So in that case, the error message that we went through, all right, is changing to a directory that we had full permissions over, and you can see that that did, in fact, work and fix that problem. Note to self, okay? Regshot – no comments, standard information, the computer, the owner, the values that were – the values that were modified, so that’s pretty consistent. I have nine invalid entries here, and I have nine modified entries here, so let’s see if they match. Do we have an H-Key local machine? No, we do not; not here, okay? Do we have a Search the Document for _Users? Okay? So it looks like there’s a _User and User Assist. Do we have a User Assist? Second sanity check, no – so, in fact, these are different than what we’re seeing, all right? So you can know that when you do analysis. Are they the same, are they not the same? Do these tools do what they’re supposed to, or are there false positives? Just because you see the number nine doesn’t mean that it’s the correct nine. Um, but I can see how easily anyone could just glance and go okay, nine and nine. You know, it makes sense. Uh, for us, it doesn’t correlate whatsoever in this example, all right? So that’s a scenario you can go through, and you can do your analysis. Do they match? Do they not match? What’s the first, uh, snapshot look like? What’s the second snapshot look like? You know comparing something to a baseline and ultimately working in a lab environment and being able to cross reference information to, in fact, determine if they are or are not consistent. Thanks for watching. I’m Leo Dregier. Don’t forget to check us out on Facebook, LinkedIn, YouTube, and Twitter. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?