Registry Artifacts. Villanova University Department of Computing Sciences D. Justin Price Spring 2014

Transcription

1 Registry Artifacts Villanova University Department of Computing Sciences D. Justin Price Spring 2014

2 REGISTRY The registry is a central hierarchal database intended to store information that is necessary to configure the system for one or more users, applications, and hardware devices.[1] Goldmine for digital forensics. Registry Breakdown Hives (binary database files) Keys & Subkeys (analogous to a folders) Values (analogous to a file) Type (strings, binary or DWORD) Data [1]

3 REGISTRY HIVES SAM Local user accounts & groups Security Security information used by the operating system to include password policies, group memberships, etc. System Hardware and service configurations Software Application settings NTUSER.dat User settings, configuration and environment settings UsrClass.dat More widely used in Vista/7/8 Shellbag Information

4 REGISTRY HIVES System Registry Hives XP/Vista/7/8! XP/Vista/7/8! XP/Vista/7/8!! XP/Vista/7/8! User Specific Registry Hives! XP! Vista/7/8! Vista/7/8! Backup System Registry Hives C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SOFTWARE C:\Documents and Settings\<USERNAME>\NTUSER.dat C:\Users\<USERNAME>\NTUSER.dat C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Vista/7/8 C:\Windows\System32\config\RegBack

5 REGISTRY VALUE TYPES REG_NONE REG_SZ REG_BINARY REG_DWORD REG_LINK REG_QWORD No Value Unicode or ASCII String Binary Data 32-bit Number Unicode Symbolic Link 64-bit Number

6 VIEWING REGISTRY HIVES Live System Analysis - regedit.exe

7 VIEWING REGISTRY HIVES Offline Analysis - AccessData Registry Viewer

8 VIEWING REGISTRY HIVES Offline Analysis - MiTeC Windows Registry Recovery (WRR)

9 EXTRACTING REGISTRY HIVES

10 EXTRACTING REGISTRY HIVES

11 LAST WRITE TIME Last Write Time is recorded for each key in every hive. Time is stored in UTC. Time stamp reflects when a value has been added or updated.

12 SECURITY ACCOUNTS MANAGER (SAM) Security Identifier (SID) Recycle Bin entries, file ownership and other artifacts refer to a SID and not a username. Microsoft Documented SID Accounts Administrator = 500 Guest = 501 User Account = start at 1000 Password fields can be misleading Password Required = password policies applied to user accounts do not apply to this account We will work with a much better tool to determine if a password was set for this account in the Encryption/ Password lecture!

13 SAM Hive

14 SAM Hive

15 SAM Hive

16 PROFILE LIST Details all profiles that have used the system to include local and domain users. SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

17 PROFILE LIST Details all profiles that have used the system to include local and domain users. SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

18 SYSTEM HIVE Current Control Set SYSTEM\Select\Current Answers the following questions: Which configuration files should be loaded? If an error is detected, which configuration files should be tried next? Which configuration files reported errors?

19 SYSTEM HIVE Computer Name: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName!! Time Zone: SYSTEM\CurrentControlSet\Control\TimeZoneInformation!!!! Last Access Timestamp: SYSTEM\CurrentControlSet\Control\FileSystem

20 SYSTEM HIVE Network Interfaces: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

21 SYSTEM HIVE User Shares Enable: SYSTEM\CurrentControlSet\Services\lanmanserver\Shares!!! System Shutdown Timestamps and Counters (XP): SYSTEM\CurrentControlSet\Control\Windows SYSTEM\CurrentControlSet\Control\Watchdog\Display

22 SOFTWARE HIVE Operating System Version: SOFTWARE\Microsoft\Windows NT\CurrentVersion

23 SOFTWARE HIVE Historical Networks (Vista/7/8): Managed by a Domain SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures \Managed DnsSuffix = Domain FirstNetwork = SSID DefaultGatewayMac = Media Access Control (MAC) Address of Gateway Last Written Time = Last time the computer connected to this network.

24 SOFTWARE HIVE Historical Networks (Vista/7/8): Not Managed by a Domain SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Signatures\Unmanaged

25 SOFTWARE HIVE Network Type: SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} (XP) SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Profiles (Vista/7/8)» NameType 0x47 = Wireless» NameType 0x06 = Wired» NameType 0x17 = Broadband» Date fields are recorded as 128-bit System date. use Dcode to convert.

26 AUTO-START PROGRAMS Various Registry Locations: NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\RunOnce SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run SYSTEM\CurrentControlSet\Services (0x02 = start)

27 NTUSER.DAT HIVE Windows XP Search History NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru Windows 7 Search History NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \WordWheelQuery!!!!!!! Windows 8 Search History NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \SearchHistory

28 NTUSER.DAT HIVE Internet Explorer Typed URLs NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \TypedPaths

29 NTUSER.DAT HIVE Recently Accessed Files NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \RecentDocs MRUList shows the order in which the files were accessed. The most recent file opened will be first.

30 NTUSER.DAT HIVE Microsoft Office Recent Documents NTUSER.DAT\Software\Microsoft\Office\14.0\Word\FileMRU NTUSER.DAT\Software\Microsoft\Office\14.0\Excel\FileMRU NTUSER.DAT\Software\Microsoft\Office\14.0\Powerpoint\FileMRU Office XP - Version 10.0 Office Version 11.0 Office Version 12.0 Office Version 14.0

31 NTUSER.DAT HIVE Common Dialogs API (ComDlg32) Open and Save As APIs NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \ComDlg32\OpenSaveMRU (XP) NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \ComDlg32\OpenSavePidMRU (Vista/7/8)

32 NTUSER.DAT HIVE Common Dialogs API (ComDlg32) Last Visited - records specific executable used to open the files along with the directory that was last accessed. NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \ComDlg32\LastVisitedMRU (XP) NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \ComDlg32\LastVisitedPidMRU (Vista/7/8)

33 NTUSER.DAT HIVE Commands Executed from the Run Box NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \RunMRU MRU List provides the order in which the commands were executed.

34 NTUSER.DAT HIVE UserAssit Records what application(s) a user has run, when and how many times: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer \UserAssist\{GUID}\Count Valuable resource to determine user activity and technical knowledge. Values are encoded using a simple substation cipher (ROT13). Run count starts a 6(?). some viewers will automatically adjust this value so it is important to know what your tool is doing {CEBFF5CD-ACE2-4F4F F41749EA} = Executable File {F4E57C4B F0-A9AB-443BCFE33D9F} = Shortcut File Execution

35 NTUSER.DAT HIVE UserAssit Win XP/Vista All values begin with UEME_RUNPATH Launched from the Absolute Path UEME_RUNCPL Launched from the Control Panel Applet UEME_RUNPIDL Launched from a Shortcut UEME_UIQCUT Launched from the Quick Launch Menu UEME_UISCUT Launched from a Desktop Shortcut UEME_UITTOOLBAR Launched from the Windows Explorer Toolbar

36 UserAssit Win 7/8 NTUSER.DAT HIVE

37 NTUSER.DAT HIVE MUICache Multi-language User Interface One more location to see if a program was executed even if the program was uninstalled. Timestamps are not recorded as each program is a value. Win XP NTUSER.DAT\Software\Microsoft\Windows \ShellNoRoam\MUICache Win 7/8 USRCLASS.DAT\Local Settings\Software\Microsoft \Windows\Shell\MuiCache Consider processing Volume Shadow Copies (VSC)

38 RegRipper

39 RegRipper

40 List All Plugins rip -l RegRipper Plugins

41 RegRipper Plugins

42 USB FORENSICS USB devices are commonly used to transferring data. Determine how the user is using the system Identify other devices that may be important to the investigation Determine the first time a USB drive was connected to the system. Determine the last time a USB drive was connected to the system. Artifact Locations: XP/Vista/7/8 XP/Vista/7/8 XP Vista/7/8 XP Vista/7/8 C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SOFTWARE C:\Documents and Settings\<USERNAME>\NTUSER.dat C:\Users\<USERNAME>\NTUSER.dat C:\Windows\setupapi.log C:\Windows\inf\setupapi.dev.log

43 USB FORENSICS Device s serial number SYSTEM\CurrentControlSet\Enum\USBSTOR Vendors should manufacture USB devices with unique serial numbers. Not all devices comply with the standard Devices that do not have a unique serial number will have an & as the 2nd character. Last Written Date is the first time the device was connected to the system since the last reboot.

44 USB FORENSICS Device s Volume Name (Windows 7/8) SOFTWARE\Microsoft\Windows Portable Devices\Device

45 USB FORENSICS Device s Mapped Drive Letter (Windows XP/7/8) SYSTEM\MountedDevices Windows XP uses the device s ParentIdPrefix

46 USB FORENSICS Determine which user used the USB device (Windows 7/8) SYSTEM\USBSTOR\<DEVICE>\<Serial#>\Device Parameters\Partmgr

47 USB FORENSICS Determine which user used the USB device 2 (Windows 7/8) SYSTEM\MountedDevices

48 USB FORENSICS Determine which user used the USB device (Windows 7/8) NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\Mountpoints2

49 USB FORENSICS When was the USB device first used? (Windows 7/8) C:\Windows\inf\setupapi.dev.log

50 USB FORENSICS When was the USB device last used? (Windows 7/8) NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion \Explorer\MountPoints\{GUID} Key s Last Write Timestamp

51 USB FORENSICS - AUTOMATED USBDeviceForensics

52 USB FORENSICS - AUTOMATED

53 Store user specific preferences for Windows Explorer. Shows browsing habits and knowledge of content by a user. Uncover evidence of a deleted folder structure. Registry Location:!!!! XP/Vista/7/8 XP/Vista/7/8 XP/Vista/7/8 XP/Vista/7/8 SHELL BAGS USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsMRU NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\Shell\Bag! The following changes will cause a ShellBag key to be updates: Window Size View Options Viewing File in Thumbnail Format Sorting Options

54 SHELL BAGS

55 SHELL BAGS

56 SHELL BAGS

57 SHELL BAGS

58 SHELL BAGS

59 SHELL BAGS

60 SHELL BAGS

61 SHELL BAGS

62 SHELL BAGS

63 EXTRACTING SHELLBAGS sbag.exe Download - Info - proto_id=14

64 EXTRACTING SHELLBAGS

65 EXTRACTING SHELLBAGS