Windows Registry. Windows Registry. A Wealth of Evidence. What is the Registry? Some Evidence that Can Be Recovered. Registry History: Windows 3.

Transcription

1 Windows Registry Windows Registry Week 3 Part 1 A great source of evidence and headaches What is the Registry? A Wealth of Evidence Collection of files that, together, form all the settings needed by applications and the operating system The Registry stores: hardware info ports, disk, etc user information and preferences application settings and more The registry can be searched, and tons of information can be obtained about the user and computer This includes values but time/dates when the data was created 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Some Evidence that Can Be Recovered Devices that were connected to the system User names and accounts Personal settings and browser preferences Web browsing activity Most recently used files Programs used Registry History: Windows 3.1 The registry was debuted in Windows 95 However, the idea has a long evolution from Windows 3.1 and DOS Windows 3.1 and DOS use INI files text files with an easy to read/edit format applications often had their own separate files these were often stored in the c:\windows folder or elsewhere on the hard drive 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

2 INI File Example Registry History: Windows 3.1 [Course] ID=csc116 Name=Cyber Forensics Instructor=Devin Cook Section Key & Value ; Comments start with a semicolon [Location] Building=Riverside Hall Room=1008 Windows 3.1 has two main INI files SYSTEM.INI hardware, drivers, etc WIN.INI desktop, applications, etc.. Had a precursor to the modern Registry called REG.DAT which contained: Object Linking Embedding (OLE) data associated file types with applications 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Problems with 3.1 Windows 95 Approach Problems arose: proliferation of INI files all over the computer slow access entire text file had to be loaded lack of network support did not allow multiple user profiles very flat format Modern registry was developed to overcome these restrictions The Windows 9x/NT 3.5 Registry is composed of a couple of different files The files are: system.dat system settings (9x, NT) user.dat generic user settings (9x, NT) classes.dat Utilized for program associations, context menus and file types. (ME only) 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer : Multiple User Problem 95: Multiple User Solution How does it support multiple users? If all utilize the same profile the information will all be mingled togather in the user.dat file it will be difficult (if not impossible) to separate the data Windows 9x/NT use user.dat as a default account It is copied for new profiles In addition, each user has a separate user.dat file Allows support for multiple users and to add users without starting from scratch 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

3 95: Backups Windows 3.1 Settings Filename Location Content Back-up of the registry is made after each boot The filenames are as follows System.dao (95, 98, ME, NT) User.dao (95, 98, ME, NT) Rbxxx.cab (98, ME) system.ini \Windows hardware, drivers, and other vital configuration information win.ini \Windows application settings, desktop, user preferences. Applications often used separate.ini files 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Windows 9x Registry Windows XP Filename Location Content user.dat system.dat \Windows \Windows - and - \Windows\profiles\user User-specific information. There is a different file for each user plus a main default one Protected storage area for all users, all installed programs and their settings, system settings In Windows XP, Microsoft expanded the Registry quite considerably by adding many of the features from Windows NT Windows NT was their high-end operating system designed to be secure and robust Windows 95/98/ME were designed to run older software legacy support 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Windows XP Registry Windows 7/8/10 Registry Filename Location Content Filename Location Content ntuser.dat \Documents and Settings\user User-specific information. Different file for each user. ntuser.dat \Users\username User-specific information. Different file for each user. Default \Windows\system32\config System settings Default \Windows\system32\config System settings SAM \Windows\system32\config Security account management SAM \Windows\system32\config Security account management Security \Windows\system32\config Security settings Security \Windows\system32\config Security settings Software \Windows\system32\config All installed programs and their settings Software \Windows\system32\config All installed programs and their settings System \Windows\system32\config System settings System \Windows\system32\config System settings 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

4 Logical Registry Design Registry Logical Design Different files? Different versions? How does it make sense? The Registry is stored differently depending on the version of Windows However, for applications, the information is always presented in the same format This allowed the Registry to evolve smoothly over time 7/23/2018 Sacramento State - Cook - CSc Summer Windows Registry Elements Windows Registry Elements Data is organized into a logical tree Information it organized into 5 different hives Some of the hives are collections of data in other hives so they are "virtual" Keys / Subkeys Defines the structure of the registry Similar to folders in a file system Values the data for each subkey String (REG_SZ) - Single line string value Binary (REG_BINARY) Series of bytes DWORD (REG_DWORD) Double word - 4 bytes Multi-string (REG_MULTI_SZ) - Multiple line string Expandable string (REG_EXPAND_SZ) 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Registry Hives Registry Hives HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG HKEY_LOCAL_MACHINE (HKLM) contains hardware, drivers, start-up data, services, and machine-specific application data most applications will store global settings here HKEY_USERS (HKU) contains information about each user including their folders and user-registry file required to locate actual user registry file 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

5 Registry Hives Registry Hives: Merged Views HKEY_CURRENT_USER (HKCU) once a user logs in, this key will contain the information from their registry file ntuser.dat applications, that want to store user-specific data, read and write to this key Why? Apps don t need to know *the* user, just the current one Nearly identical to HKEY_LOCAL_MACHINE HKEY_CLASS_ROOT (HKCR) classes can be user-specific or applied to all users contains merged view of two hives: HKEY_LOCAL MACHINE\SOFTWARE\Classes HKEY_CURRENT_USER\SOFTWARE\Classes HKEY_CURRENT_CONFIG (HKCC) information about how the system was booted contains merged view of two hives: HKEY_LOCAL MACHINE\SOFTWARE HKEY_LOCAL MACHINE\SYSTEM 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Windows Registry Security Windows Security and Relative ID Security is set by Registry permissions in Windows 2000, regedt32.exe must be used in Windows XP, regedit.exe can also be used. Two basic permission available Read Only Full Control By default, only the System and Administrators: have full control permissions can also create specific permissions Windows Registry uses a alphanumeric combination to identify a security group Security ID (SID) identifies the computer system SIDs are assigned by the Domain Controller S /23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Windows Security and Relative ID Dissecting a SID Relative ID (RID) part of the SID used to identity the specific user on the computer system It is the last part of the SID SID version Domain or Local Computer S S Authority Relative ID 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

6 Why Is Mr. Cook Obsessed with Windows? Registry Forensics Windows is the main operating system used on home computers So, by a large margin, seized computers will What is the market share? market share is hard to measure the best avenue is to look at browser usage Some things to look for 7/23/2018 Sacramento State - Cook - CSc Summer Platforms: June 2017 Editing the Windows Registry Approximately 90.5% use Windows Windows XP 5.7% Windows % Windows 8 6.7% Windows % Approximately 7.8% use Macintosh Approximately 1.8% use Linux Two native Windows Registry editors available Regedt32.exe Regedit.exe These were merged in Windows XP 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Difference Between Live and Offline Registry No HARDWARE hive Located in HKLM (HKEY_LOCAL_MACHINE) Dynamic key - created at when Windows boots No virtual hives HKCU (HKEY_CURRENT_USER) is actually content in ntuser.dat You must search for the correct SID key under HKEY_USERS Some System Info You Can Get Computer name Dynamic disks Install dates Last user logged in Mounted devices Windows OS product key Registered owner Programs run automatically System s USB devices 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

7 User-Specific Evidence Registry Forensics ntuser.dat (HKEY_CURRENT_USER) is a great source of evidence Note: everything the computer remembers between sessions is in the registry! So, anything that Windows remembers for you, it also will remember for the suspect All registry keys contain last modified time-stamp so, you can tell what and when not visible with regedit there are tools for reading this Registry also records all devices that have ever been connected to the computer 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Registry: MSN Messenger Registry: MSN messenger Some obtainable evidence IM groups, contacts, Location of message history files Location of saved contact list files Values are stored in REG_BINARY (bytes) this is actually Unicode Text dead giveaway is the pattern: ## 00 ## HKEY_CURRENT_USER/Software/Microsoft/MSNMessenger 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Registry: MSN messenger Always Search for MRU HKEY_CURRENT_USER/Software/Microsoft/MSNMessenger Many applications keep a list of our Most Recently Used (MRU) files Registry location and format varies greatly between applications So, search the registry for the following keywords: MRU LRU Recent 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

8 Always Search for MRU Always Search for MRU Applications tend to read all the entries, re-sort them and then rewrite them all so date-stamps will often all be the same as the most recent file Windows also keeps a MRU on files These are the files you double-click on using explorer (the front-end GUI of Windows) It maintains a list for every extension! HKEY_USERS\UserSID\Software\Microsoft\ Windows\CurrentVersion\Explorer\RecentDoc 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer More MRU Information MRU In Windows 7 Windows uses an window called Common Dialog for selecting a file to open/save This is window that pop-ups, for instance, when you click save in Word This tool remembers up to the last 26 files for every file type you use naturally, this is in the registry stored in REG_BINARY format registry format changed in Windows 7 and 10 HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer MRU In Windows 7 Registry: Internet Explorer HKEY_CURRENT_USER/Software/ Microsoft/Windows/CurrentVersion/Explorer/ComDlg32 Some obtainable evidence IE auto logon and password IE search terms IE settings Typed URLs Auto-complete passwords 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

9 Registry: Internet Explorer: Typed URLs Registry: IntelliForm HKEY_CURRENT_USER /Software/Microsoft/Internet Explorer/TypedURLs IntelliForm is a built-in feature of Windows utilized by Internet Explorer Also called auto complete Allows Windows to remember fields on web page forms Stored in the registry under Protected Storage System Provider 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Protected Storage System Provider Protected Storage System Provider Protected Storage System Provider only visible to the system account located in NTUSER.DAT \Software\Microsoft\Protected Storage System Provider Various tools will reveal contents AccessData Registry Viewer Windows Secret Explorer Cain & Abel Protected Storage PassView HKEY_CURRENT_USER\Software\ Microsoft\Protected Storage System Provider 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Installed Software Uninstalled Software You can find both software that is currently installed a system Keys are usually created with installation You can also determine if software was uninstalled Keys are usually created with installation are often not deleted HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\App Paths HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Uninstal 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

10 Last Login Last Login Windows keeps track of the last user to log into the system You can use this: to determine who was on the computer last when this was using Registry time stamps (should be consistent with other time stamps) if they logged into Windows a suspect may have used a boot disk HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\WinLogon 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Registry: Mounted Devices Device History Yes, the Registry stores that too! Applications can talk to devices assigned volume letters such as: C:, D:, etc Letter is actually mapped to a piece of hardware e.g. hard drive, CD-ROM, USB drive, etc 7/23/2018 Sacramento State - Cook - CSc Summer Registry: Mounted Devices Globally Unique Identifiers The registry contains this information and how each letter maps to a device So, for instance, when Microsoft Word, wants to save something to E: Windows looks up the letter in the Registry and sends it to the correct device Windows, records all mounted devices using a Globally Unique Identifiers (GUID) These are hash values created by Windows and used for almost everything Why use them for devices? applications may want to talk to a specific device regardless of its letter. also, letters can be changed. 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

11 Registry: Mounted Devices Registry: Mounted Devices HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\MountedDevices HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\MountedDevices 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer When a USB Device is Plugged in. Windows PnP (plug and play) is notified by the port Windows asks the device for its name, serial value, etc Windows then creates a unique value of the device, locates the correct driver, and updates the registry This process is also saved in the SetupAPI Log file Registry: USB Devices Registry also records all USB devices that have ever been connected to the computer This information is enumerated in its own location in the Registry Using time-stamps, you can tell when a suspect USB Drive was connected This can be used to verify timelines or show evidence of data theft 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer Registry: USB Device History Registry: USB Devices HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Enum\USBSTOR You can map information in "USBStor" with "MountedDevices" to find what drive letter was used It can be a tad complicated. fortunately, there are many tools, like USBDeview, that can interpret the data for you and give nice reports however, you must understand the format for verifying these tools accuracy in Court 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer

12 USBDeview Date! 7/23/2018 Sacramento State - Cook - CSc Summer /23/2018 Sacramento State - Cook - CSc Summer