Issue with windows execution artifacts guided exercise 1.2 (Part of the digital forensics pathway)

General
1

Hi, there seems to be an issue with the windows execution artifacts guided exercise.

When trying to export and clean the system registry files from autopsy into registry explorer, it says root nk record not found. Unable to find root key based on flag HiveEntryRootKey. This occurs for System.Log1 and System.Log2.

I’m not sure if it’s something im doing wrong or an issue with the lab itself, if anyone can help. I have followed the tasks step by step and get the same result.

Thanks

2

I just completed Windows Execution Artifacts Part 1 and Part 2. The steps all worked as written. Please provide the steps that are not working for you and provide screen shots of any error you are encountering.

3

image
image1275×1107 99.2 KB

4

These are the steps i have followed in both the guided and challenge exercise:

  1. In the config folder, highlight the SYSTEM, SYSTEM.LOG1 and SYSTEM.LOG2 files, then right-click on them, select Extract File(s), and save them in the Export folder in your case folder.

Note: The Export folder should be the default location.

  1. From the Tools folder on the desktop, launch the Registry Explorer application.

It may take a few minutes to open.

  1. From the Registry Explorer menu bar, select File > Load Hive.

  2. In the Select Hives… dialog box, navigate to the Export folder for your case, select the SYSTEM file that you just exported, and click Open.

Note: It may have a number appended to the file name by Autopsy during the export process.

  1. When prompted, click Yes to replay the transaction logs and clean the SYSTEM hive.

  2. When prompted, click OK.

No option appears to clean the hive, the pop up box doesn’t appear due to the above errors. I previously had no issue doing it in the guided exercise so i’m not sure if this is an issue with the lab or not. I’m following it by the letter.

5

Per the instructions I highlight and export the SYSTEM hive and the logs:

image
image861×368 97 KB

I save them to the Export folder:

image
image613×408 38.4 KB

image
image705×216 27.6 KB

In the Registry Explorer I select the exported SYSTEM hive:

image
image900×372 60.4 KB

When asked to replay the logs I click Yes, and click Ok to confirm that I need to select the logs I wish to replay:

image
image596×389 39.8 KB

I select both log files and click Open:

image
image944×487 48.9 KB

I click OK to confirm that the logs have been replayed:

image
image407×151 12.2 KB

I save the clean SYSTEM hive in the Export folder:

image
image933×477 49.7 KB

I click Yes to load the updated hive, and No to load the dirty hive:

image
image483×418 33.5 KB

The clean SYSTEM registry hive loads as expected:

image
image1086×594 104 KB

6

Ah thank you, it wasn’t clear to me from the instructions that it included System as well as log 1 and log 2.
Appreciate the help.

1 Like
7

You can never take enough screen shots! :smiley: