Course Code: MISS 1103

Course Title: Digital Forensics

Semester: January
January--June 2015

Windows Registry Analysis

Prof. Dr. Syed Akhter Hossain

Registry Analysis

Registry is central database of Windows systems

Configuration of system

Information about user activity

applications installed and opened

window positions and sizes

to provide user with a better experience

Information is time-stamped
Registry Analysis

Used to get systems information

Example: System has no prefetch files

Investigate the corresponding registry key

Microsoft knowledge base 307498

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management\PrefetchParameters

Used to establish timelines of activity
Registry Analysis

What if there are no values?

“Absence of evidence is not evidence of absence”

E.g.: Antiforensics: Windows washer removes registry entries

Last runtime of Windows washer becomes evidence

E.g.: Malware dll not loaded through registry

But could be loaded through some other mechanism, such as a shell
extension

(Registry remains a popular tool for malware to avoid repeat infections)
Registry Analysis

Contents:

Basic structure remains fixed

Location of values changes

Storage location depends on hive and system

Main hives in Windows\system32\config

Other in system32\config

User information in NTUSER.dat hive in User Profile

Parts are volatile:

Populated when need arises

HKEY_CURRENT_USER, HKEY

HKEY_LOCAL_MACHINE\System

HKEY_CLASSES_ROOT
Registry Analysis

Key Cell Structure

0-3Size

4-5Node ID

6-7Node Type

8-15 LastWrite Time

…

Value Cell Structure

0-3Size

4-5Node ID

6-7Value name length

8-11 Data length

12-15 Offset to data

16-20 Value type
Registry Analysis Tools

Life Analysis

regedit.exe

Native tool (use with caution)

Does not give all information (especially not time of last write)

reg.exe

Native command line tool

Autoruns.exe

Russinovich, SysInternals (now MS) investigates registry and other
places for programs that run automatically

Scripting tools

E.g.: Using Perl Win32::TieRegistry
Registry Analysis Tools
Autoruns
Registry Analysis Tools

Registry Monitoring

Observe changes to the registry while interacting with system

Regshot

RegMon (SysInternals)
Registry Analysis Tools

Forensics Analysis

Build into tools ProDiscover / Encase, F-Response, FTK

RegRipper, RIP.pl, regslack
 Windows XP Registry
Filename Location Content
ntuser.dat \Documents and Protected storage area
If there are multiple user Settings\user account for user
profiles, each user has an Most Recently Used
individual user.dat file in (MRU) files
windows\profiles\user
User preference settings
account
Default \Windows\system32\config System settings
SAM \Windows\system32\config User account
management and security
settings
Security \Windows\system32\config Security settings
Software \Windows\system32\config All installed programs and
their settings
System \Windows\system32\config System settings
Registry Organization
Windows Security and Relative ID

The Windows Registry utilizes a alphanumeric
combination to uniquely identify a security
principal or security group.

The Security ID (SID) is used to identify the
computer system.

The Relative ID (RID) is used to identity the
specific user on the computer system.

The SID appears as:

S-1-5-21-927890586-3685698554-67682326-1005
SID Examples

SID: S-1-0
Name: Null Authority
Description: An identifier authority.

SID: S-1-0-0
Name: Nobody
Description: No security principal.

SID: S-1-1
Name: World Authority
Description: An identifier authority.

SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests. Membership
is controlled by the operating system.

SID: S-1-2
Name: Local Authority
Description: An identifier authority.

SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID

Security ID

NT/2000/XP/2003

HKLM>SAM>Domains>Accounts>Aliases>Members

This key will provide information on the computer identifier

HKLM>SAM>Domains>Users

This key will provide information in hexadecimal

User ID

Administrator – 500

Guest – 501

Global Groups ID

Administrators – 512

Users – 513

Guest - 514
MRU

To identify the Most Recently Used (MRU) files

on a suspect computer system:

Windows 9x/Me

User.dat

Search should be made for MRU, LRU, Recent

Windows NT/2000

Ntuser.dat

Search should be made for MRU, LRU, Recent

Windows XP/2003

HKU>UserSID>Software>Microsoft>Windows>
CurrentVersion>Explorer>RecentDoc

Select file extension and select item
Registry Forensics

Registry keys have last modified time-stamp

Stored as FILETIME structure

like MAC for files

Not accessible through reg-edit

Accessible in binary.
Registry Forensics

Registry Analysis:

Perform a GUI-based live-system analysis.

Easiest, but most likely to incur changes.

Use regedit.

Perform a command-line live-system analysis

Less risky

Use “reg” command.

Remote live system analysis

regedit allows access to a remote registry

Superscan from Foundstone

Offline analysis on registry files.

Encase, FTK (Access data) have specialized tools

regedit on registry dump.
Registry Forensics

Websites
Registry Forensics: NTUSER.DAT

AOL Instant Messenger Away messages

File Transfer & Sharing

Last User

Profile Info

Recent Contacts

Registered Users

Saved Buddy List
Registry Forensics: NTUSER.DAT

ICQ

IM contacts, file transfer info etc.

User Identification Number

Last logged in user

Nickname of user
Registry Forensics: NTUSER.DAT

Internet Explorer

IE auto logon and password

IE search terms

IE settings

Typed URLs

Auto-complete passwords
Registry Forensics: NTUSER.DAT
IE explorer Typed URLs
Registry Forensics: NTUSER.DAT

MSN Messenger

IM groups, contacts, …

Location of message history files

Location of saved contact list files
Registry Forensics: NTUSER.DAT

Last member name in MSN messenger

Registry Forensics: NTUSER.DAT

Outlook express account passwords
Registry Forensics

Yahoo messenger

Chat rooms

Alternate user identities

Last logged in user

Encrypted password

Recent contacts

Registered screen names
Registry Forensics

System:

Computer name

Dynamic disks

Install dates

Last user logged in

Mounted devices

Windows OS product key

Registered owner

Programs run automatically

System’s USB devices
Registry Forensics
Registry Forensics
USB Devices
Registry Forensics

Networking

Local groups

Local users

Map network drive MRU

Printers
Registry Forensics Winzip
Registry Forensics
List of applications and filenames of the most recent files
opened in windows
Registry Forensics
Most recent saved (or copied) files
Registry Forensics

System

Recent documents

Recent commands entered in Windows run box

Programs that run automatically

Startup software

Good place to look for Trojans
Registry Forensics

User Application Data

Adobe products

IM contacts

Search terms in google

Kazaa data

Windows media player data

Word recent docs and user info

Access, Excel, Outlook, Powerpoint recent files
Registry Forensics

Go to

Access Data’s Registry Quick Find Chart
Registry Forensics

Case Study
(Chad Steel: Windows Forensics, Wiley)
Department manager alleges that individual copied confidential information
on DVD.
No DVD burner was issued or found.
Laptop was analyzed.
Found USB device entry in registry:
PLEXTOR DVDR PX-708A
Found software key for Nero - Burning ROM in registry
Therefore, looked for and found Nero compilation files (.nrc). Found other
compilation files, including ISO image files.
Image files contained DVD-format and AVI format versions of copyrighted
movies.
Conclusion: No evidence that company information was burned to disk.
However, laptop was used to burn copyrighted material and employee
had lied.
Registry Forensics

Intelliform:

Autocomplete feature for fast form filling

Uses values stored in the registry

HKEY_CURRENT_USER\Software\Microsoft\Protected Storage
System Provider

Only visible to SYSTEM account

Accessible with tools such as Windows Secret Explorer.
Registry Forensics:
AutoStart Viewer (DiamondCS)
Registry Research

Use REGMON (MS Sysinternals) to monitor changes

to the registry

Registry is accessed constantly

Need to set filter

Or enable Regmon’s log boot record

Captures registry activity in a regmon file

Do it yourself: Windows API

RegNotifyChangeKeyValue

Many commercial products

DiamondCS RegProt

Intercepts changes to the registry
Registry Forensics Investigation

Forensics tools allow registry investigation from image of drive

Differences between life and offline view

No HARDWARE hive (HKLM)

Dynamic key, created at boot

No virtual keys such as HKEY_CURRENT_USER

Derived from SID key under HKEY_USERS

Source file is NTUSER.DAT

Do not confuse current and repair versions of registry files

%SystemRoot%\system32\config (TRUE registry)

%SystemRoot%\repair (repair version of registry)
Registry Forensics Investigation

Forensics search can reveal backups of registry

Intruders leave these behind when resetting registry in order
not to damage system
Registry Forensics Investigation

Time is Universal Time Coordinated

a.k.a. Zulu

a.k.a Greenwhich Time
Registry Forensics Investigation

Software Key

Installed Software

Registry keys are usually created with installation

But not deleted when program is uninstalled

Find them

Root of the software key

Beware of bogus names

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Unins
tall

If suspicious, use information from the registry to find the actual code

Registry time stamps will confirm the file MAC data or show them to be
altered
Registry Forensics Investigation

Software Key

Last Logon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon

Logon Banner Text / Legal Notice

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon

Security Center Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy

If firewall logging is enabled, the log is typically at %SystemRoot%/pfirewall.log
Registry Forensics Investigation
Registry Forensics Investigation

Analyze Restore Point Settings

Restore points developed for Win ME / XP

Restore point settings at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRestore

Restore points created every RPGlobalInterval value seconds (~every
24h)

Retention period is RPLifeInterval seconds (default 90 days)

Restore point taking in ON by default

Restore points in System Volume Information\restore…
Registry Forensics Investigation

Aside: How to access restore points

Restore points are protected from user, including administrator

Administrator can add her/himself to the access list of the
system volume directory

Turn off “Use simple file sharing” in Control Panel  Folder Options

Click on “Properties” of the directory in Explorer and
Registry Forensics Investigation

Restore point

makes copies of important system and program files that
were added since the last restore points

Files

Stored in root of RP### folder

Names have changed

File extension is unchanged

Name changes kept in change.log file

Registry data

in Snapshot folder

Names have changed, but predictably so
Registry Forensics Investigation

SID (security identifier)

Well-known SIDs

SID: S-1-0 Name: Null Authority

SID: S-1-5-2 Name: Network

S-1-5-21-2553256115-2633344321-4076599324-1006

S string is SID

1 revision number

5 authority level (from 0 to 5)

21-2553256115-2633344321-4076599324 domain or local computer identifier

1006 RID – Relative identifier

Local SAM resolves SID for locally authenticated users (not domain users)

Use recycle bin to check for owners
Registry Forensics Investigation

Resolving local SIDs through the Recycle Bin

(life view)
Registry Forensics Investigation

Protected Storage System Provider data

Located in NTUSER.DAT\Software\Microsoft\ Protected
Storage System Provider

Various tools will reveal contents

Forensically, AccessData Registry Viewer

Secret Explorer

Cain & Abel

Protected Storage PassView v1.63
Registry Forensics Investigation

MRU: Most Recently Used

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Exlorer\RunMRU

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Exlorer\Map Network Drive MRU

HKEY_CURRENT_USER\Printers\Settings\Wizard\ConnectMRU

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Exlorer\ComDlg32

Programs and files opened by them

Files opened and saved

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Search
Assistant\ACMru
Registry Forensics Investigation
Registry Forensics Investigation
Registry Forensics Investigation
Registry Forensics Investigation
Registry Forensics Investigation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Wi
ndows\CurrentVersion\Exlorer\UserAssist\{*********
}\Count

ROT-13 encoding of data used to populate the User Assist
Area of the start button

Contains most recently used programs
Registry Forensics Investigation
Registry Forensics Investigation

AutoRun Programs

Long list of locations in registry

Long list of locations outside the registry

SystemDrive\autoexec.bat

SystemDrive\config.exe

Windir\wininit.ini

Windir\winstart.bat

Windir\win.ini

Windir\system.ini

Windir\dosstart.bat

Windir\system\autoexec.nt

Windir\system\config.nt

Windir\system32\autochk.exe
Registry Forensics Investigation

Rootkit Enabler

Attacker can use AppInit_DLL key to run own DLL.