Windows Registry Analysis

Computer Forensics, 2013

Registry Analysis
 Registry is central database of Windows
systems
 Configuration of system
 Information about user activity
 applications installed and opened
 window positions and sizes
 to provide user with a better experience
 Information is time-stamped
Registry Analysis
 Used to get systems information
 Example: System has no prefetch files
 Investigate the corresponding registry key
 Microsoft knowledge base 307498
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\S
ession Manager\Memory Management\PrefetchParameters
 Used to establish timelines of activity
Registry Analysis
 What if there are no values?
 “Absence of evidence is not evidence of absence”
 E.g.: Antiforensics: Windows washer removes registry
entries
 Last runtime of Windows washer becomes evidence
 E.g.: Malware dll not loaded through registry
 But could be loaded through some other mechanism, such
as a shell extension
 (Registry remains a popular tool for malware to avoid repeat
infections)
Registry Analysis
 Contents:
 Basic structure remains fixed
 Location of values changes
 Storage location depends on hive and system
 Main hives in Windows\system32\config
 Other in system32\config
 User information in NTUSER.dat hive in User Profile
 Parts are volatile:
 Populated when need arises
 HKEY_CURRENT_USER, HKEY
 HKEY_LOCAL_MACHINE\System
 HKEY_CLASSES_ROOT
Registry Analysis
 Key Cell Structure
 0-3 Size
 4-5 Node ID
 6-7 Node Type
 8-15 LastWrite Time
 …
 Value Cell Structure
 0-3 Size
 4-5 Node ID
 6-7 Value name length
 8-11 Data length
 12-15 Offset to data
 16-20 Value type
Registry Analysis Tools
 Life Analysis
 regedit.exe
 Native tool (use with caution)
 Does not give all information (especially not time of last
write)
 reg.exe
 Native command line tool
 Autoruns.exe
 Russinovich, SysInternals (now MS) investigates registry
and other places for programs that run automatically
 Scripting tools
 E.g.: Using Perl Win32::TieRegistry
Registry Analysis Tools
Autoruns
Registry Analysis Tools
 Registry Monitoring
 Observe changes to the registry while interacting
with system
 Regshot
 RegMon (SysInternals)
Registry Analysis Tools
 Forensics Analysis
 Build into tools ProDiscover / Encase, F-Response,
FTK
 RegRipper, RIP.pl, regslack
Windows XP Registry

Filename Location Content

ntuser.dat \Documents and Protected storage area
If there are multiple user Settings\user account for user
profiles, each user has an Most Recently Used
individual user.dat file in (MRU) files
windows\profiles\user User preference settings
account

Default \Windows\system32\config System settings

SAM \Windows\system32\config User account
management and security
settings

Security \Windows\system32\config Security settings

Software \Windows\system32\config All installed programs and
their settings
System \Windows\system32\config System settings
Registry Organization
Windows Security and Relative ID
 The Windows Registry utilizes a
alphanumeric combination to uniquely
identify a security principal or security
group.
 The Security ID (SID) is used to identify the
computer system.
 The Relative ID (RID) is used to identity the
specific user on the computer system.
 The SID appears as:
 S-1-5-21-927890586-3685698554-67682326-
1005
SID Examples

SID: S-1-0
Name: Null Authority
Description: An identifier authority.
 SID: S-1-0-0
Name: Nobody
Description: No security principal.
 SID: S-1-1
Name: World Authority
Description: An identifier authority.
 SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and
guests. Membership is controlled by the operating system.
 SID: S-1-2
Name: Local Authority
Description: An identifier authority.
 SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID
 Security ID
 NT/2000/XP/2003
 HKLM>SAM>Domains>Accounts>Aliases>Members
 This key will provide information on the computer identifier
 HKLM>SAM>Domains>Users
 This key will provide information in hexadecimal
 User ID
 Administrator – 500
 Guest – 501
 Global Groups ID
 Administrators – 512
 Users – 513
 Guest - 514
MRU

 To identify the Most Recently Used (MRU)

files on a suspect computer system:
 Windows 9x/Me
 User.dat
 Search should be made for MRU, LRU, Recent
 Windows NT/2000
 Ntuser.dat
 Search should be made for MRU, LRU, Recent
 Windows XP/2003
 HKU>UserSID>Software>Microsoft>Windows>
CurrentVersion>Explorer>RecentDoc
 Select file extension and select item
Registry Forensics
 Registry keys have last modified time-stamp
 Stored as FILETIME structure
 like MAC for files
 Not accessible through reg-edit
 Accessible in binary.
Registry Forensics

 Registry Analysis:
 Perform a GUI-based live-system analysis.
 Easiest, but most likely to incur changes.
 Use regedit.
 Perform a command-line live-system analysis
 Less risky
 Use “reg” command.
 Remote live system analysis
 regedit allows access to a remote registry
 Superscan from Foundstone
 Offline analysis on registry files.
 Encase, FTK (Access data) have specialized tools
 regedit on registry dump.
Registry Forensics

Websites
Registry Forensics: NTUSER.DAT
 AOL Instant Messenger Away messages
 File Transfer & Sharing
 Last User
 Profile Info
 Recent Contacts
 Registered Users
 Saved Buddy List
Registry Forensics: NTUSER.DAT
 ICQ
 IM contacts, file transfer info etc.
 User Identification Number
 Last logged in user
 Nickname of user
Registry Forensics: NTUSER.DAT
 Internet Explorer
 IE auto logon and password
 IE search terms
 IE settings
 Typed URLs
 Auto-complete passwords
Registry Forensics: NTUSER.DAT
IE explorer Typed URLs
Registry Forensics: NTUSER.DAT
 MSN Messenger
 IM groups, contacts, …
 Location of message history files
 Location of saved contact list files
Registry Forensics: NTUSER.DAT

Last member name in MSN messenger

Registry Forensics: NTUSER.DAT
 Outlook express account passwords
Registry Forensics
 Yahoo messenger
 Chat rooms
 Alternate user identities
 Last logged in user
 Encrypted password
 Recent contacts
 Registered screen names
Registry Forensics
 System:
 Computer name
 Dynamic disks
 Install dates
 Last user logged in
 Mounted devices
 Windows OS product key
 Registered owner
 Programs run automatically
 System’s USB devices
Registry Forensics
Registry Forensics
USB Devices
Registry Forensics
 Networking
 Local groups
 Local users
 Map network drive MRU
 Printers
Registry Forensics Winzip
Registry Forensics
List of applications and filenames of the most
recent files opened in windows
Registry Forensics
Most recent saved (or copied) files
Registry Forensics
 System
 Recent documents
 Recent commands entered in Windows run box
 Programs that run automatically
 Startup software
 Good place to look for Trojans
Registry Forensics
 User Application Data
 Adobe products
 IM contacts
 Search terms in google
 Kazaa data
 Windows media player data
 Word recent docs and user info
 Access, Excel, Outlook, Powerpoint recent files
Registry Forensics
 Go to
 Access Data’s Registry Quick Find Chart
Registry Forensics

Case Study
(Chad Steel: Windows Forensics, Wiley)
Department manager alleges that individual copied
confidential information on DVD.
No DVD burner was issued or found.
Laptop was analyzed.
Found USB device entry in registry:
PLEXTOR DVDR PX-708A
Found software key for Nero - Burning ROM in registry
Therefore, looked for and found Nero compilation files (.nrc).
Found other compilation files, including ISO image files.
Image files contained DVD-format and AVI format versions of
copyrighted movies.
Conclusion: No evidence that company information was
burned to disk. However, laptop was used to burn
Registry Forensics
 Intelliform:
 Autocomplete feature for fast form filling
 Uses values stored in the registry
 HKEY_CURRENT_USER\Software\Microsoft\Protected
Storage System Provider
 Only visible to SYSTEM account
 Accessible with tools such as Windows Secret
Explorer.
Registry Forensics:
AutoStart Viewer (DiamondCS)
Registry Research

 Use REGMON (MS Sysinternals) to monitor

changes to the registry
 Registry is accessed constantly
 Need to set filter
 Or enable Regmon’s log boot record
 Captures registry activity in a regmon file
 Do it yourself: Windows API
 RegNotifyChangeKeyValue
 Many commercial products
 DiamondCS RegProt
 Intercepts changes to the registry
Registry Forensics Investigation

 Forensics tools allow registry investigation from

image of drive
 Differences between life and offline view
 No HARDWARE hive (HKLM)
 Dynamic key, created at boot
 No virtual keys such as HKEY_CURRENT_USER
 Derived from SID key under HKEY_USERS
 Source file is NTUSER.DAT
 Do not confuse current and repair versions of registry files
 %SystemRoot%\system32\config (TRUE registry)
 %SystemRoot%\repair (repair version of registry)
Registry Forensics Investigation

 Forensics search can reveal backups of

registry
 Intruders leave these behind when resetting
registry in order not to damage system
Registry Forensics Investigation
 Time is Universal Time Coordinated
 a.k.a. Zulu
 a.k.a Greenwhich Time
Registry Forensics Investigation
 Software Key
 Installed Software
 Registry keys are usually created with installation
 But not deleted when program is uninstalled
 Find them
 Root of the software key
 Beware of bogus names
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\App Paths
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall
 If suspicious, use information from the registry to find the
actual code
 Registry time stamps will confirm the file MAC data or show
them to be altered
Registry Forensics Investigation

 Software Key
 Last Logon
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon
 Logon Banner Text / Legal Notice
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon
 Security Center Settings
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shar
edAccess\Parameters\FirewallPolicy
 If firewall logging is enabled, the log is typically at %SystemRoot
%/pfirewall.log
Registry Forensics Investigation
Registry Forensics Investigation
 Analyze Restore Point Settings
 Restore points developed for Win ME / XP
 Restore point settings at
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRestore
 Restore points created every RPGlobalInterval value
seconds (~every 24h)
 Retention period is RPLifeInterval seconds (default 90
days)
 Restore point taking in ON by default
 Restore points in System Volume Information\restore…
Registry Forensics Investigation
 Aside: How to access restore points
 Restore points are protected from user, including
administrator
 Administrator can add her/himself to the access
list of the system volume directory
 Turn off “Use simple file sharing” in Control Panel 
Folder Options
 Click on “Properties” of the directory in Explorer and
Registry Forensics Investigation
 Restore point
 makes copies of important system and program
files that were added since the last restore
points
 Files
 Stored in root of RP### folder
 Names have changed
 File extension is unchanged
 Name changes kept in change.log file
 Registry data
 in Snapshot folder
 Names have changed, but predictably so
Registry Forensics Investigation
 SID (security identifier)
 Well-known SIDs
 SID: S-1-0 Name: Null Authority
 SID: S-1-5-2 Name: Network
 S-1-5-21-2553256115-2633344321-4076599324-1006
 S string is SID
 1 revision number
 5 authority level (from 0 to 5)
 21-2553256115-2633344321-4076599324 domain or local computer
identifier
 1006 RID – Relative identifier
 Local SAM resolves SID for locally authenticated users (not
domain users)
 Use recycle bin to check for owners
Registry Forensics Investigation

Resolving local SIDs through the Recycle Bin

(life view)
Registry Forensics Investigation
 Protected Storage System Provider data
 Located in NTUSER.DAT\Software\Microsoft\
Protected Storage System Provider
 Various tools will reveal contents
 Forensically, AccessData Registry Viewer
 Secret Explorer
 Cain & Abel
 Protected Storage PassView v1.63
Registry Forensics Investigation
 MRU: Most Recently Used
 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr
entVersion\Exlorer\RunMRU
 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr
entVersion\Exlorer\Map Network Drive MRU
 HKEY_CURRENT_USER\Printers\Settings\Wizard\ConnectM
RU
 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr
entVersion\Exlorer\ComDlg32
 Programs and files opened by them
 Files opened and saved
 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Search
Assistant\ACMru
Registry Forensics Investigation
Registry Forensics Investigation
Registry Forensics Investigation
Registry Forensics Investigation
Registry Forensics Investigation
 HKEY_CURRENT_USER\SOFTWARE\Microsof
t\Windows\CurrentVersion\Exlorer\UserAssi
st\{*********}\Count
 ROT-13 encoding of data used to populate the
User Assist Area of the start button
 Contains most recently used programs
Registry Forensics Investigation
Registry Forensics Investigation
 AutoRun Programs
 Long list of locations in registry
 Long list of locations outside the registry
 SystemDrive\autoexec.bat
 SystemDrive\config.exe
 Windir\wininit.ini
 Windir\winstart.bat
 Windir\win.ini
 Windir\system.ini
 Windir\dosstart.bat
 Windir\system\autoexec.nt
 Windir\system\config.nt
 Windir\system32\autochk.exe
Registry Forensics Investigation
 Rootkit Enabler
 Attacker can use AppInit_DLL key to run own DLL.