Windows Registry Forensics

Transcription

1 Windows Registry Forensics

2 Registry Definition The Microsoft Computer Dictionary defines the registry as: A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices. The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being used.

3 The structure of the Registry

4 ControlSet folders A typical installation of Windows may contain two/four \ControlSet001 \ControlSet002 \CurrentControlSet \Clone 4 ControlSet001 may be the last control set you booted with ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows The CurrentControlSet subkey is just a pointer to one of the ControlSetXXX keys Clone is a clone of CurrentControlSet, and is created each time you boot your computer

5 Unicode and Language Independence Most internal text strings are stored and processed as 16-bit Unicode characters. Unicode is an international character set standard that defines unique 2 byte values (maximum characters) for most of the world's known character sets. References: Or MSDN Documentation

6 Last Write Time All registry key has a value called LastWrite time, which is similar to file s last modification time. In fact, this value is a FILETIME structure, which is the same as file s MAC (Modified, Accessed, Created) time The FILETIME structure is a 64-bit value representing the number of 100-nanosecond intervals since January 1,1601 Knowing the time of a key is modified or created allows forensic investigator to infer the approximate time an event or activity occurred. The investigator could query the LastWrite time of the key and compare it to the MAC time of the file to which the registry value is pointing. If there is a match between the key LastWrite time and the MAC time of the file to which the registry value is pointing, investigator will know the time the registry value was created.

7 Shellbags This entry can be found at HKCU\Software\Microsoft\Shell\Bags. ShellBag entries indicate a given folder was accessed, not a specific file (Carvey, 2011)

8 User Assist HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\UserAssist UserAssist is a method used to populate a user s start menu with frequently used applications. This is achieved by maintaining a count of application use in each users NTUSER.DAT registry file.

9 Prefetch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Session Manager\Memory Management\PrefetchParameter Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run.

10 USB Devices HKEY_LOCAL_MACHINE\System\ControlSet\Enum \USBSTOR this lists USB devices that have been connected to the machine.

11 Mounted Devices Key SYSTEM\MountedDevices Allows investigators to match the serial number to a given drive letter or volume that was mounted when the USB device was inserted

12 The MountPoints2 key What user was using the USB device hkcu\software\microsoft\windows\currentversio n\explorer\mountpoints2

13 SYSTEM\CurrentControlSet \Enum\USB Vendor and product ID

14 Autostart locations Frequently used by malware to remain persistent on the target system. Example: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

15 MRU MRU ( most recently used ) lists The MRUList entry maintains a list of which value has been most recently used. To identify the Most Recently Used (MRU) files on a suspect computer system: HKCU>Software>Microsoft>Windows> CurrentVersion>Explorer>runMRU or RecentDoc HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3 2\OpenSaveMRU Examples Paint Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List Excel Software\Microsoft\Office\10.0\Excel\Recent Files Word Microsoft\Office\10.0\Word\Data

16 Last Visited HKCU\Software\Microsoft\Windows\CurrentVersi on\explorer\comdlg32\lastvisitedmru This key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is added to the previous OpenSaveMRU key, registry value is created or updated in this key

17 Recently executed HKCU\Software\Microsoft\Windows\CurrentVersi on\explorer\runmru This key maintains a list of entries (e.g. full file path or commands like cmd, regedit, compmgmt.msc) executed using the Start>Run commands

18 Recent Searches HKCU \Software\Microsoft\Search Assistant\ACMru This key contains recent search terms using Windows default search. Subkey 5603 contains search terms for finding folders and filenames, while subkey 5604 contains search terms for finding words or phrases in a file

19 Uninstalled Software HKLM\SOFTWARE\Microsoft\Windows\CurrentVer sion\uninstall Each subkey in this key represent an installed program in the computer. All programs listed in Control Panel>Add/Remove Programs correspond to one of the listed subkeys. However, they are other installed programs (e.g. device driver, Windows patch) that are not listed in Add/Remove Programs. Each subkey usually contains these two common registry values. DisplayName (program name) and UninstallString (application Uninstall components file path, which indirectly refers to application installation path).

20 Services HKLM\SYSTEM\CurrentControlSet\Services\ This key contains list of Windows services. Each subkey represents a service and contains services information such as startup configuration and executable image path. Some malware will install itself as service.

21 Network Adapter HKLM\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\Interfaces\GUID This key contains network adapter recent settings such as system IP address and default gateway for the respective network adapters. Each GUID subkey refers to a network adapter

22 Passwords If the user tells IE to remember passwords, then they are here HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW Passwords are encrypted by the Operating System. However, there are tools available that can decrypt these values, such as Protected Storage PassView by NirSoft or Helix s incident response tools.

23 Wireless SSIDs SSIDs (service set identifiers) This shows you which wireless networks you ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you ll see quite a few entries there. In XP it was always here: HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WZCSVC\Parameters\Inte rfaces key. The registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ will give you a list of all the Wifi networks that this network interface has connected to. The SSID of the network is contained within the Description key.

24 Swap file management HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management This key maintains Windows virtual memory (paging file) configuration. The paging file (usually C:\pagefile.sys) may contain evidentiary information that could be removed once the suspect computer is shutdown. This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns. By default, windows will not clear the paging file.

25 Questions