windows registry analysis

7/21/2019 Windows Registry Analysis

1/62

Windows Registry Analysis

Computer Forensics, 2013


2/62

Registry Analysis

Registry is central database of Windowssystems Conguration of system

Information about user activity

applications installed and opened window positions and sizes

to provide user with a better experience

Information is time-stamped


3/62

Registry Analysis

Used to get systems information xample! "ystem has no prefetch les

Investigate the corresponding registry #ey $icrosoft #nowledge base %&'()* +,./0C1/.$1C+I23""4$3CurrentControl"et3Control3"

ession $anager3$emory $anagement35refetch5arameters

Used to establish timelines of activity


4/62

Registry Analysis

What if there are no values6 71bsence of evidence is not evidence of absence8

9g9! 1ntiforensics! Windows washer removes registryentries /ast runtime of Windows washer becomes evidence

9g9! $alware dll not loaded through registry :ut could be loaded through some other mechanism; such

as a shell extension


5/62

Registry Analysis

Contents! :asic structure remains xed

/ocation of values changes

"torage location depends on hiveand system

$ain hives in Windows3system%>3cong 0ther in system%>3cong

User information in 24U"R9dat hive in User 5role

5arts are volatile!

5opulated when need arises +,.CURR24.U"R; +, +,./0C1/.$1C+I23"ystem +,.C/1""".R004


6/62

Registry Analysis ,ey Cell "tructure &-% "ize

(-? 2ode I@

A-' 2ode 4ype

*-B? /astWrite 4ime

Dalue Cell "tructure &-% "ize

(-? 2ode I@

A-' Dalue name length

*-BB @ata length B>-B? 0Eset to data

BA->& Dalue type


7/62

Registry Analysis Tools

/ife 1nalysis regedit9exe

2ative tool


8/62


Autoruns


9/62


Registry $onitoring 0bserve changes to the registry while interacting

with system

Regshot

Reg$on


10/62


Forensics 1nalysis :uild into tools 5ro@iscover G ncase; F-Response;

F4,

RegRipper; RI59pl; regslac#


11/62


12/62

Registry Organization


13/62

Windows Security and Relative ID

4he Windows Registry utilizes aalphanumeric combination to uniHuelyidentify a security principal or securitygroup9

4he "ecurity I@


14/62

SID Examples

"I@! "-B-&2ame! 2ull 1uthority@escription! 1n identier authority9 "I@! "-B-&-&

2ame! 2obody@escription! 2o security principal9

"I@! "-B-B2ame! World 1uthority@escription! 1n identier authority9

"I@! "-B-B-&2ame! veryone@escription! 1 group that includes all users; even anonymous users and

guests9 $embership is controlled by the operating system9 "I@! "-B->

2ame! /ocal 1uthority@escription! 1n identier authority9

"I@! "-B-%2ame! Creator 1uthority@escription! 1n identier authority9


15/62

SID

"ecurity I@ 24G>&&&G5G>&&% +,/$J"1$J@omainsJ1ccountsJ1liasesJ$embers

This key will provide information on the computer identier

+,/$J"1$J@omainsJUsers This key will provide information in hexadecimal

User I@ 1dministrator K ?&& Luest K ?&B

Llobal Lroups I@ 1dministrators K ?B> Users K ?B% Luest - ?B(


16/62

MRU

4o identify the $ost Recently Used &&%

+,UJUser"I@J"oftwareJ$icrosoftJWindowsJ

CurrentDersionJxplorerJRecent@oc "elect le extension and select item


17/62

Registry Forensics

Registry #eys have last modied time-stamp "tored as FI/4I$ structure li#e $1C for les

2ot accessible through reg-edit

1ccessible in binary9


18/62

Registry Forensics

Registry 1nalysis! 5erform a LUI-based live-system analysis9

asiest; but most li#ely to incur changes9

Use regedit9 5erform a command-line live-system analysis

/ess ris#y Use 7reg8 command9

Remote live system analysis

regedit allows access to a remote registry "uperscan from Foundstone

0Mine analysis on registry les9 ncase; F4,


19/62

Registry Forensics

Websites


20/62

Registry Forensics: NTUSER.DAT

10/ Instant $essenger 1way messages File 4ransfer N "haring /ast User

5role Info

Recent Contacts Registered Users

"aved :uddy /ist


21/62


ICO I$ contacts; le transfer info etc9 User Identication 2umber

/ast logged in user

2ic#name of user


22/62


Internet xplorer I auto logon and password I search terms

I settings

4yped UR/s 1uto-complete passwords


23/62


IE explorer Typed URLs


24/62


$"2 $essenger I$ groups; contacts; /ocation of message history les

/ocation of saved contact list les


25/62


Last member name in MSN messenger


26/62


0utloo# express account passwords


27/62

Registry Forensics

ahoo messenger Chat rooms 1lternate user identities

/ast logged in user

ncrypted password Recent contacts

Registered screen names


28/62

Registry Forensics

"ystem! Computer name @ynamic dis#s Install dates /ast user logged in $ounted devices Windows 0" product #ey Registered owner 5rograms run automatically

"ystemPs U": devices


29/62

Registry Forensics


30/62

Registry Forensics

USB Devices


31/62

Registry Forensics

2etwor#ing /ocal groups /ocal users

$ap networ# drive $RU

5rinters


32/62

Registry Forensics Winzip


33/62

Registry Forensics

/ist of applications and lenames of the mostrecent les opened in windows


34/62

Registry Forensics

$ost recent saved


35/62

Registry Forensics

"ystem Recent documents Recent commands entered in Windows run box

5rograms that run automatically

"tartup software Lood place to loo# for 4roQans


36/62

Registry Forensics

User 1pplication @ata 1dobe products I$ contacts "earch terms in google

,azaa data Windows media player data Word recent docs and user info 1ccess; xcel; 0utloo#; 5owerpoint recent les


37/62

Registry Forensics

Lo to 1ccess @ataPs Registry Ouic# Find Chart


38/62

Registry Forensics

Case "tudy


39/62

Registry Forensics

Intelliform! 1utocomplete feature for fast form lling

Uses values stored in the registry +,.CURR24.U"R3"oftware3$icrosoft35rotected

"torage "ystem 5rovider

0nly visible to ""4$ account

1ccessible with tools such as Windows "ecretxplorer9

i i


40/62

Registry Forensics:

AutoStart Viewer (DiamondCS)


41/62

Registry Research

Use RL$02


42/62

Registry Forensics Investigation

Forensics tools allow registry investigation fromimage of drive

@iEerences between life and oMine view 2o +1R@W1R hive


43/62


Forensics search can reveal bac#ups ofregistry Intruders leave these behind when resetting

registry in order not to damage system


44/62


4ime is Universal 4ime Coordinated a9#9a9 Sulu

a9#9a Lreenwhich 4ime


45/62


"oftware ,ey Installed "oftware

Registry #eys are usually created with installation :ut not deleted when program is uninstalled Find them

Root of the software #ey :eware of bogus names

+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows3CurrentDersion31pp 5aths

+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows3CurrentDersion3Uninstall

If suspicious; use information from the registry to nd theactual code

Registry time stamps will conrm the le $1C data or showthem to be altered


46/62


"oftware ,ey /ast /ogon

+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows

243CurrentDersion3Win/ogon /ogon :anner 4ext G /egal 2otice +,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows

243CurrentDersion3Win/ogon

"ecurity Center "ettings +,./0C1/.$1C+I23"0F4W1R3$icrosoft3"ecurity Center +,./0C1/.$1C+I23""4$3CurrentControl"et3"ervices3"har

ed1ccess35arameters3Firewall5olicy If rewall logging is enabled; the log is typically at "ystemRoot

Gprewall9log


47/62



48/62


1nalyze Restore 5oint "ettings Restore points developed for Win $ G 5 Restore point settings at

+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows243CurrentDersion3"ystemRestore

Restore points created every R5LlobalInterval valueseconds (h=

Retention period is R5/ifeInterval seconds


49/62


1side! +ow to access restore points Restore points are protected from user; including

administrator 1dministrator can add herGhimself to the access

list of the system volume directory

4urn oE 7Use simple le sharing8 in Control 5anel

Folder 0ptions Clic# on 75roperties8 of the directory in xplorer and


50/62


Restore point ma#es copies of important system and programles that were added since the last restorepoints Files

"tored in root of R5 folder 2ames have changed File extension is unchanged 2ame changes #ept in change9log le

Registry data in "napshot folder 2ames have changed; but predictably so


51/62

Registry Forensics Investigation "I@ B->??%>?ABB?->A%%%((%>B-(&'A?))%>(-B&&A " string is "I@ B revision number

? authority level B->??%>?ABB?->A%%%((%>B-(&'A?))%>( domain or local computer

identier B&&A RI@ K Relative identier

/ocal "1$ resolves "I@ for locally authenticated users


52/62


Resolving local "I@s through the Recycle :in


53/62


5rotected "torage "ystem 5rovider data /ocated in 24U"R9@143"oftware3$icrosoft3

5rotected "torage "ystem 5rovider

Darious tools will reveal contents Forensically; 1ccess@ata Registry Diewer

"ecret xplorer

Cain N 1bel

5rotected "torage 5assDiew vB9A%


54/62


$RU! $ost Recently Used +,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3Curr

entDersion3xlorer3Run$RU +,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3Curr

entDersion3xlorer3$ap 2etwor# @rive $RU +,.CURR24.U"R35rinters3"ettings3Wizard3Connect$

RU +,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3CurrentDersion3xlorer3Com@lg%> 5rograms and les opened by them Files opened and saved

+,.CURR24.U"R3"0F4W1R3$icrosoft3"earch

1ssistant31C$ru


55/62



56/62



57/62



58/62



59/62


+,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3CurrentDersion3xlorer3User1ssist3VX3Count R04-B% encoding of data used to populate the

User 1ssist 1rea of the start button Contains most recently used programs


60/62



61/62


1utoRun 5rograms /ong list of locations in registry /ong list of locations outside the registry

"ystem@rive3autoexec9bat "ystem@rive3cong9exe Windir3wininit9ini

Windir3winstart9bat Windir3win9ini Windir3system9ini Windir3dosstart9bat Windir3system3autoexec9nt Windir3system3cong9nt

Windir3system%>3autoch#9exe


62/62


Root#it nabler 1ttac#er can use 1ppInit.@// #ey to run own @//9

windows registry analysis

Documents