A Windows Registry contains potential information which is of evidential value and can support the forensic analysts in exploring the different aspects of forensic investigation. A forensic analysis in general is performed with a specific agenda in mind. In the forensic investigator’s perspective, it is essential to know the type and significance of information to look for, and also where to find it. Forensic investigations which involve a windows platform vigorously require a careful assessment of the keys, sub keys and relevant values that are located inside the Windows registry. It is therefore crucial to understand and perform a Microsoft Windows Registry database analysis.
The Windows Registry is a hierarchical database that contains information, settings, system options, and other values about the system hardware, installed programs and profiles of the user accounts on the windows operating .system.
The windows registry database stores information regarding the hardware attached to the system, the system options that have been selected, the computer memory that is setup and the application programs that are utilized when the operating system is running. The registry editor tool is used to view and edit setting in the system registry in a manual way. Normally it is not recommendable to make any changes in the system registry. The operating system makes the required updates in the registry automatically when needed.
The registry editor was used for the windows 3.1x, Windows 95 and later versions. The current version of Windows, Windows 10 uses RegEdit.exe as registry editor, whereas for Windows NT and earlier versions RegEdt32.exe served the purpose. However these tools do not reveal some of the registry metadata (for instance the last modified date).
Related Product : Computer Hacking Forensic Investigator | CHFI
There are five root folders in the Registry Editor:
- FIKEY_CLASSES_ROOT
- HKEY CURRENT USER
- HKEY LOCAL
- HKEY USERS
- HKEYSURRENT_CONFFG
HKEY USERS
HKEY USERS, abbreviated as “HKU”, contains information about all the currently active user profiles on the computer. Each registry key under HKEY_USERS hive relates to a user on the computer, which is named after the user’s security identifier (SID). The registry keys and registry values under each SID control the user specific mapped drives, installed printers, environmental variables and so on.
HKEY_CLASSES_ROOT
HKEY CLASSES ROOT, abbreviated as HKCR, is a sub-key of HKEY_LOCAL_MACHINE\Software. It contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and interface ID (IID) data. This hive stores the necessary information which makes sure that the correct program opens when the user opens a file through the windows explorer.
HKEY_CURRENT_USER
HI EY CURRENT USER, abbreviated as HKCU, contains the configuration information related to the user currently logged on. This hive controls the user level settings associated with user profile such as desktop wall paper, screen colors, display settings etc.
FIKEY_CURRENT_CONFIG
HKEY CURRENT CONFIG, abbreviated as HKCC, stores information about the current hardware profile of the system. The information stored under this hive explains the differences between the current hardware configuration and the standard configuration.
The HI EY CURRENT CONFIG is simply a pointer to the HKEY LOCAL MAC HI N E\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current registry key, which contains the information about the standard hardware configuration that is stored under the Software and System keys.
FIKEY_LOCALIMACHINE
HKEY LOCAL MACHINE, abbreviated as HKLM, contains most of the configuration information for installed software which includes the Windows OS as well, and the information about the physical state of the computer which includes bus type, installed cards, memory type, startup control parameters and device drives.
Registry Structure within a Hive File
It is essential for a forensic investigator to have a good understanding of the basic components of the registry. This will help them to glean extra information through keyword searches of other locations and sources that include the page file, physical memory, or even the unallocated spaces. By gaining more information about the registry structure, the forensic investigator can have a better understanding of what is possible and how to proceed further.
The registry component cells have a specific structure and hold specific types of information. The different types of cells are:
- Key cell
- Value cell
- Subkey list cell
- Value list cell
- Security descriptor cell
The Registry as a Log File
Each registry key in a Windows Registry holds a time stamp embedded inside them which is referred to as the Last Write Time. This is comparable to that of the last modified time for a file. At any point of time when the registry key or any of its values are created, altered, or deleted the value is updated to the current local system time. Even though the registry value is not associated with any Last Write Time it can be inferred from the Last Write Time of a registry key.
Registry Analysis
ProDiscover
The ARC Group ProDiscovers Basic edition is a self-managed tool for the examination of the user’s hard disk security. ProDiscover Basic is designed to operate under the National Institute of Standards’ Disk Imaging Tool Specification 3.1.6. It is made to collect snapshots of activities that are critical for taking proactive steps in protecting the user data. ProDiscover Basic has a built-in reporting tool to present findings as evidence for legal proceedings. The user can gather time zone data, drive information, Internet activity, and more, piece by piece, or in a full report as needed. The user has robust search capabilities for capturing unique data, filenames and file types, data patterns, date ranges, etc. ProDiscover Basic gives clients the autonomy they desire while managing their own data security.
RegRipper
RegRipper is a flexible open source tool that facilitates registry analysis with ease. It contains pre-written Perl scripts for the purpose of fetching frequently needed information during an investigation involving a Windows box, RegRipper is used because of its simplicity and also the easy availability of numerous plugins that capture specific information from the registry.
System Information (Cont’d)
While performing a postmortem analysis based on acquired image of a windows system, there is ample information available to the investigator. Majority of this information including the basic system information is easy to obtain during a live response, for instance the version of the operating system (like Windows 10, Windows 8, Windows 7 or Windows Vista) by just observing the shell. The keys for finding the computer name, the last shut down time, the product names; current build number and CD version are listed in the slide.
Basically the system information is stored in the System and Software database files, and partially in the Security hive file. The information about the system users is stored in the Security Account Manager (SAM) database file. Each user’s registry settings for their specific account is stored in the NTUSER.DAT registry file.
While downloading the RegRipper tool, the plugins also downloaded automatically with in the template files. This template file incorporates code for determining the current control set from a System hive file. The plugins within the /plugins directory help in deriving the information present in the System and Software hives,
The compname.pl plugin returns computer’s name in the ComputerName value using the given key in the slide.
The winnt_cv.pl plugin returns ProductName, CurrentBuildNumber, and CSDVersion values using the given key in the slide, which give the details of the operating system and version. It also returns RegisteredOrganization, RegisteredOwner values, Productld and InstallDate values, which help in further identification of the system.
Also Read : Understanding EProcess Structure
Time Zone Information
All the time zones installed on the system are present in the registry hive. The required key to find the information about the time zone settings is listed in the slide. Every time zone has its own unique key under the registry. Re Ripper’s timezone.pl plugin returns the information about the time zone settings.
Shares
Often, Windows systems have share open for the users, so that they can access the system remotely. In many cases, this is valid for file servers; however, it might likewise be valid for user workstations, laptops, etc. The shares.pl plugin returns information about available shares from a System hive file.
Wireless SSIDs
Service Set Identifier, abbreviated as “SSID”, is a unique identifier that is used for naming a wireless local area network (WLAN). It consists of a sequence of 32 alphanumeric characters and is attached to the packets that are sent over a WLAN network. An SSID is also referred to as a “Network Name”. This name makes sure that data is sent to the correct destination when multiple independent networks are operating in the same physical location.
Wireless network configuration settings are stored within the windows registry, which includes SSIDs of networks that the system is connected to, network configuration parameters of those networks, and information about the Network Interface Cards on the system.
When a registry analysis is performed on a Windows XP system using the RegRipper tool, the toot captures the data in a text file, along with the information regarding the location of the keys. The Windows XP registry entries for wireless network connections are stored in the following location: HKLM SOFTWARE\Microsoft\ WZCSVC\ Parameters\Interfaces\{GUID}
The picture in the slide represents an example of the above discussed registry. We can notice here that inside this registry there is some valuable information in different locations. Firstly, the ActiveSettings key contains the information for the active wireless profile on the system. When this key is selected, the SSW) of the network is displayed. The picture represents an example of a network SSID shown in the slide. Similarly, we can find more valuable information in the keys Controlflag and LayoutVersion.
Startup Locations
Startup locations are folder locations within the registry that allows applications to launch automatically without any intervention made by the user. Some applications, such as touch pad drivers and applications on laptops, as well as antivirus and firewall applications, are most useful when they are started automatically.
However, in some cases there are programs that are not legitimate, like Trojans, worms, spyware, viruses where attackers use the autostart locations to automatically run these malwares when the system boots and thereby corrupt the system. Therefore, it is subsequently essential to regularly check the startup registry keys in the System Configuration utility and delete the unwanted keys.
Importance of Volume Shadow Copy Services
Volume Shadow Copy Service-based backup (VSS) introduced in Microsoft Windows, allows the users to take backup copies of computer files or the logical drive even when the files are still in use. These backup copies are also referred to as shadow copies. This technology works with NTFS file system to generate and save the shadow copies.
The main importance of the volume shadow copy service is to create breakup of the data even when the application data is still running, which infers that the data files are open or in an instable condition, To do so, there has to be a proper coordination between the backup applications, and the system hardware and software components of the computer. The VSS technology facilitates this by providing proper conversation among the mentioned components. If all the components are in coordination with the VSS, the user can take the backup snapshots even without the application going offline.
System Boot
Attackers are most likely to use the auto-start location to automatically run the malwares when the system boots without the involvement of the user. An example of such auto-start location is given in the slide.
Enumerating Autostart Registry Locations
Auto-start locations are mainly targeted by the attackers. The attackers get hold of these locations while the user performs any network based activity, for instance opening any web based application like Microsoft Outlook or the Internet Explorer. A couple of examples of auto-start locations where the attackers can introduce rnalwares are listed in the slide. Attackers find these registry keys extremely useful for maintaining malwares, regularly checking them to ensure that they are running fine.
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It monitors and records all activities performed against the Microsoft Windows Registry. On running this tool, it can be noticed that there were a significant number of accesses to the Registry even when there is apparently no user intervention. This tool gives a great deal of information to the forensic investigators to trace out any intrusion on a system. The Process Monitor tool is compatible with Windows Vista and higher.
The information retrieved using the Autoruns tools provide a way to the forensic investigators to trace any suspicious activity that has taken place within the Autostart locations. Autoruns are updated regularly so that they provide the most comprehensive list of Registry keys of the autostart locations.
While performing an investigation, the experts require tools that can permit viewing as well as enumeration of a Registry that has been reconstructed from the component files with a system image. One such tool that serves this dual purpose is the Visual Basic script called Silent Runners. The main purpose of this tool is to enumerate the contents of the autostart Registry locations, providing the investigators further details on these suspicious activities.
USB Removable Storage Devices (Cont’d)
The USB removable devices connected across a Windows system can be tracked using the footprints or artifacts left by them in the registry. The Artifacts are also left in the setupapi.log file.
Plug and Play (PnP) Manager
Plug and Play (PnP) is a combination of hardware technology and software techniques that enables a PC to recognize when a device is added to the system With PnP, the system configuration can change with little or no input from the user. For example, when a USB thumb drive is plugged in, Windows can detect the thumb drive and add it to the file system automatically. However, to do this, the hardware must follow certain requirements and so also the driver.
USBDeview
USBDeview is a small utility that lists all USB devices that are currently connected to a computer, as well as all the previously connected U513 devices. For each U513 device, extended information is displayed i.e., the Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorlD, ProductID, and more. U5I3Deview also allows the user to uninstall USD devices that have been used previously, disconnect USB devices that are currently connected to the computer, as well as disable and enable USB devices. USBDeview can also be used on a remote computer, as long as the user is logged in to that computer as an admin user.
The figure represents a portion of Re Edit showing Device Class ID and Unique Instance ID.
Mounted Devices (Cont’d)
Any external device attached to a system will leave artifacts in several locations. Forensic investigators review these artifacts and concentrate on the once which are of forensic importance. This depends upon the type of investigation that is being conducted. In a Windows system, the Registry keys track every device that is connected to the computer and the allotted drive letter used by the NTFS file system.
Few of the registry keys record the information related to external devices that has been connected to the system in the past. Examples of few external devices include portable hard disks, magnetic tape, memory stick / flash drive, solid state memory cards, DVD or CDs. These keys can be retrieved from a live system by running “regedit” or “Registry Commander” via an externally connected USB drive and can be saved as readable text files.
MRU Lists (Cont’d)
Most Recently Used lists, abbreviated as MRU list are the lists of recently visited web pages, opened documents, etc., maintained by the Windows operating system in the Windows Registry. Many applications also maintain an MRU list. Within the running application, these file names generally appear at the bottom of the drop-down menu when a file on the menu bar is selected.
The MRU list registry key is the RecentDocs key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Recentdocs
This key can contain a number of values, all of which are binary data types. The values investigators are interested in are the ones that have names, especially the one named MRUListEx.
The numbered value names contain the names of the files accessed (in Unicode), and the MRUListEx key maintains the order in which they were accessed (as DWORDs).
The RecentDocs key also has a number of sub-keys. Each one of these sub-keys are actually the extension of a file that was opened (.doc, .txt, .html, etc). The values within these sub-keys are maintained in the same way as in the RecentDocs key: the value names are numbered, and their data contains the name of the file accessed as a binary data type.
Analyzing Restore Point Registry Setting (Cont’d)
The purpose of restore points in general is to take a snapshot of a system, so that the user can restore the system to a previous restore point if something goes wrong.
The settings for restore points are stored in the registry. They are stored at:
H KEY_LOCAL_MACHINE \Software\Microsoft\WindowsNT\CurrentVersion \System Restore
The information about the interval for restore point creation is stored in the RPGloballnterval value, and the default DV RD data is 86,400. The system restore points can be reset and disabled. The setting for disabling restore points is a value named DisableSR and it defaults to O. If the setting has been changed to 1, it means that the restore point creation has been disabled.
The investigator can find restore points in numbered folders at: \System Volume Information-restore {GUID}\RP##
Neither user nor administrator can access files and folders below the system volume information by using the Explorer interface, therefore the users find it difficult to access, manipulate, or delete these files.
The navigation to System Restore is as follows:
Select Start -> Ali Programs -> Accessories -> System Tools -> System Restore to open the UI for System Restore.
Determining the Startup Locations (Cont’d)
Startup locations are folders and registry items where the programs run automatically, without user intervention. Many applications (for instance firewalls, anti-viruses) run automatically when the user starts his/her computer and loads the operating system. However, in some cases there are programs that are not legitimate, like Trojans, worms, spyware, viruses, etc., and can be run automatically, The attackers use the autostart locations to automatically run these malwares, and when the system boots itself these malwares corrupt the system. Therefore, it is essential to regularly check the startup registry keys in the System Configuration utility and delete the unwanted keys. Users can view the Startup list present in the System Configuration utility by choosing Run, typing msconfig into the text box, and then pressing Enter.
Questions related to this topic
- How do I view Windows registry files?
- What file is loaded into the registry when a user logs on?
- What are registry files called?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
