Windows Registry Analysis

Size: px

Start display at page:

Download "Windows Registry Analysis"

Beatrice Cross
5 years ago
Views:

1 Windows Registry Analysis Omveer Singh Additional Director / Scientist E omveer@cert-in.org.in Cyber Forensics Lab Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology Government of India New Delhi 06/05/2011 by CERT-In, New Delhi 1 Windows Registry Tricky, forensics goldmine Lot of information, fairly difficult to clean User-ids Internet history Program installation information Recently accessed files USB device history 06/05/2011 by CERT-In, New Delhi 2 1

2 What is Windows Registry? Windows Registry is a central hierarchical database used in MS Windows systems has information for many system configurations Hardware software settings installed device driver Computer forensics analyst can discover a lot of information pertaining to the suspect 06/05/2011 by CERT-In, New Delhi 3 Windows Registry Password for Some applications are stored there Some SW applications register name, company, license, address and time/date of installation Uninstallation of a program leave forensic residue Browser settings Registry keys Used by various malware The ubiquitous "Run" Key Services ClearPagefileAtShutdown Registry Key StartUp directories 06/05/2011 by CERT-In, New Delhi 4 2

3 Windows XP Registry May provide a wealth of information Located in %SystemRoot%\system32\ Organised in 5 sections termed Hives Each hive has keys and subkeys, which contain a value entry Each value entry has a name, data type and value 06/05/2011 by CERT-In, New Delhi 5 NT Registry Windows XP registry Hives HKEY_CLASSES_ROOT (HKSC, file name-olestreams) HKEY_CURRENT_USER (HKCU, sid-user-desktop) HKEY_LOCAL_MACHINE (HKLM, configuration, memory, last boot) HKEY_ USERS (HKU, all user account profiles) HKEY_CURRENT_CONFIG (HKCC, running image) 06/05/2011 by CERT-In, New Delhi 6 3

4 Tools for Registry Analysis Regedit (win) Regripper Regmon (sysinternals) Dumpsec, DumpReg, DumpEvt (SystemTools) Registry Crawler ECSF (wininternals) WinResCue Tweak Winboost Reganal 06/05/2011 by CERT-In, New Delhi 7 Forensic Analysis on Registry Analysis Contain important information such as : Usernames and Passwords for programs, s, IP Address and Internet sites A history of internet sites accessed, including date, time and queries. List of recently accessed files A list of software installed in the system. The registry information primarily stores in windows XP and 2000 in the following files. SAM SYSTEM SECURITY SOFTWARE NTUSER.DAT These files may be seen in the folder \windows\system32\config\ 06/05/2011 by CERT-In, New Delhi 8 4

5 Registry: A Wealth of Information Information that can be recovered include: System Configuration Devices on the System User Names Personal Settings and Browser Preferences Web Browsing Activity Files Opened Programs Executed Passwords 06/05/2011 by CERT-In, New Delhi 9 Windows Registry Hives Windows Registry s path on Windows XP %SystemRoot%system32%config Registry Hives HKEY_LOCAL_MACHINE/SAM HKEY_LOCAL_MACHINE/Security HKEY_LOCAL_MACHINE/System HKYE_CURRENT_CONFIG HKEY_USERS/DEFAULT HKEY_CURRENT_USER HKEY_USERS/[SID] Related files Sam, Sam.log Security, Security.log, Security.sav System, System.alt, System.log, System.sav System, System.alt, System.log, System.sav, sav NTUser.dat, NTUser.dat.log Default, Default.log, Default.sav NTUser.dat, NTUser.dat.log 06/05/2011 by CERT-In, New Delhi 10 5

identities Last logged in user Encrypted password Recent

6 Registry Organization 06/05/2011 by CERT-In, New Delhi 11 Registry Forensics Yahoo messenger Chat rooms Alternate user identities Last logged in user Encrypted password Recent contacts t Registered screen names 06/05/2011 by CERT-In, New Delhi 12 6

owner Programs run automatically System s USB devices 06/05/2011 by

7 Registry Forensics System: Computer name Dynamic disks Install dates Last user logged in Mounted devices Windows OS product key Registered owner Programs run automatically System s USB devices 06/05/2011 by CERT-In, New Delhi 13 Registry Ripper 06/05/2011 by CERT-In, New Delhi 14 7

8 Registry Ripper 06/05/2011 by CERT-In, New Delhi 15 Registry Ripper 06/05/2011 by CERT-In, New Delhi 16 8

9 Registry Ripper 06/05/2011 by CERT-In, New Delhi 17 Registry Ripper 06/05/2011 by CERT-In, New Delhi 18 9

10 RegEdit: USB Devices 06/05/2011 by CERT-In, New Delhi 19 Typed URLs Internet Explorer 06/05/2011 by CERT-In, New Delhi 20 10

11 Winzip list of files extracted 06/05/2011 by CERT-In, New Delhi 21 Recently opened Applications 06/05/2011 by CERT-In, New Delhi 22 11

$Information HKLM\Software\Microsoft\Windows NT\CurrentVersion This key contains$ information about installed software and Windows CSDVersion : installed service

information about installed software and Windows CSDVersion : installed service

& SystemRoot : Windows installed path ProductID & ProductName : Microsoft Product

12 Recently download / saved file 06/05/2011 by CERT-In, New Delhi 23 Windows Information HKLM\Software\Microsoft\Windows NT\CurrentVersion This key contains information about installed software and Windows CSDVersion : installed service pack InstallDate : Windows install date Unix 32 bit Hex Value Big Endian PathName & SystemRoot : Windows installed path ProductID & ProductName : Microsoft Product ID RegisteredOwner RegisteredOrganization Network Cards 06/05/2011 by CERT-In, New Delhi 24 12

Install date & OS Version 06/05/2011 by CERT-In, New Delhi 25 System

control registry key to see the user s configuration setting

used dby Logical ldisk Manager, has all the known volumes Select

13 Install date & OS Version 06/05/2011 by CERT-In, New Delhi 25 System Configuration Registry HKLM/System Need to find the current system control registry key to see the user s configuration setting ControlSet00x : system configuration setting subkey MountedDevices, used dby Logical ldisk Manager, has all the known volumes Select subkey remembers which control sets exist on the machine 06/05/2011 by CERT-In, New Delhi 26 13

Time Zone Information 06/05/2011 by CERT-In, New Delhi 27 27 Windows Shut Down Time HKLM/System/ControlSet00x/Control/Wi ndows

14 Time Zone Information 06/05/2011 by CERT-In, New Delhi Windows Shut Down Time HKLM/System/ControlSet00x/Control/Wi ndows Information related to Windows ShutdownTime : Windows shut down time Windows 64Bit Date & Time (Little Endian) 06/05/2011 by CERT-In, New Delhi 28 14

15 System Time Information To verify the system time, check BIOS time; it takes precedence over the others System time depends on BIOS time Procedure of confirming the date of system installation and shut down time To check BIOS time after power-on To confirm the current control set in the registry To verify the Time Zone Information To identify the install date and shutdown time 06/05/2011 by CERT-In, New Delhi 29 IP address & MAC address HKLM/System/ControlSet00x/Services/CLSID/Para meters/ Tcpip DefaultGateway / IPAddress HKLM/Software/Microsoft/Windows NT/ CurrentVersion/ NetworkCards Network card information installed on the system ServiceName specifies which driver runs the card HKLM/System/MountedDevices \??\Volume{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx} Last 12 digits is MAC address 06/05/2011 by CERT-In, New Delhi 30 15

run when Windows start HKLM/Software/Microsoft/Windows NT/CurrentVersion/ Windows AppInit_DLLs :.

16 06/05/2011 by CERT-In, New Delhi 31 Auto Run Program Information The programs which run automatically without user s permission whenever the system boots; may be malicious too HKLM/Software/Microsoft/Windows/CurrentVersion/Run This key specifies programs to run when Windows start HKLM/Software/Microsoft/Windows NT/CurrentVersion/ Windows AppInit_DLLs :.dll files run when GUI application program runs Malicious attacker can run.dll files which he wants without announcing the user 06/05/2011 by CERT-In, New Delhi 32 16

17 External Storage Information HKLM/System/ControlSet00x/Enum/IDE This key contains information about storage devices connected via IDE cable Key includes manufacturers and model number HKLM/System/ControlSet00x/Enum/USBSTOR This key contains information about storage devices connected via USB port [Device Type]&Ven_[Vendor]&Prod_[Product ID]&Rev[Version] Example : Disk&Ven_ALTECH&Prod_AnyDrive2.0&Rev_2.00 HKLM/System/ControlSet00x/Enum/USB This key contains information about devices connected via USB port 06/05/2011 by CERT-In, New Delhi 33 More Registry Other useful info obtainable from the registry: CPU type Network interface information IP addresses, default gateway, DHCP configuration, Installed software Installed hardware Registry information gotchas redundant, undocumented information profile cloning on older versions of Windows (95/98) (e.g., typed URLs, browser history, My Documents, ) 06/05/2011 by CERT-In, New Delhi 34 17

18 References Electronic Fingerprints computer evidence comes of Age by Michael R. Anderson Electronic Crime Scene Investigation A Guide for First Responders by National Institute t of Justice, USA; ( Forensic Examination of Digital Evidence : A guide for Law Enforcement by National Institute of Justice, USA; ( Forensics Tools ; Collecting Electronic Evidence After a System Compromise by Matthew Braid, SANS Security Essentials. 06/05/2011 by CERT-In, New Delhi 35 References (contd..) Computer Forensics An Overview by Dorothy A. Lunn, SANS Institute; _GSEC.pdf Intrusion Detection & Network Forensics by Marcus J Ranum Manual for Investigation of Computer Related Crimes by Ashok Dohare Course Contents : SANS SEC508 HoneyNet Project Website Computer Forensics Challenges 06/05/2011 by CERT-In, New Delhi 36 18

Lesson 2: Editing the Registry

Lesson 2: Editing the Registry Lesson 2 Editing the Registry 4-15 Windows XP Professional stores hardware and software settings centrally in a hierarchical database called the Registry, which replaces