An Examination of the Windows™ Registry Windows™ Forensics An Examination of the Windows™ Registry
Windows Registry The Windows Registry Defies easy description. Acts as a “central repository” for the user information and system information. Parts are stored in files and parts are generated on the fly.
Windows Registry Windows Registry (technical) The registry is a persistent storage mechanism for system and user settings that can be accessed through Windows API calls to the HKEY values. This is not entirely useful as a starting definition.
Windows Registry Registry Hives HKEY_LOCAL_MACHINE (HKLM) HKEY_CURRENT_CONFIG (HKCC) HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU)* HKEY_USERS (HKU) *HKCU is actually a symbolic link to the HKU of the user currently logged on.
Windows Registry Registry File Locations %SystemRoot%\System32\config\... SAM, Security Accounts Manager contains passwords for users and groups SYSTEM, system configuration details. USB storage mapping SECURITY, permissions SOFTWARE, installed programs and settings \Users\%user%\ NTUSER.DAT, user data and protected storage
Windows Registry HKLM\SYSTEM\CurrentControlSet\Control\hivelist Lists all the hives present on a system. Volatile Sub-keys Some keys within the hive are composed at boot time. They do not exist on disk. HKLM\HARDWARE HKLM\SYSTEM\Clone
Windows Registry Why Do We Locate the Files? Reason for the question: Windows converts these files into hives that can only be accessed through regedit or similar program. Why not just use hive names? Answer: Static forensics allows us to access these protected files directly.
Windows Registry %Root%\System32\Config\SAM Logon passwords No extension, just the file “SAM” This file is usually extracted for password cracking. It cannot be copied on an active system, but can be copied using other tools.
Windows Registry %Root%\System32\Config\SYSTEM Mounted Devices (drive letter mappings of current and previously attached storage devices) UBSTOR current and previously attached storage devices with serial numbers or GUID. Many, many other system configuration variables. This file is invaluable for intellectual property theft cases.
Windows Registry Mounted Device Storage media that is assigned a drive letter in a Windows system is considered a mounted device. Note: drive letters may change by either user action (device management) or through mounting and unmounting in different order.
Windows Registry Device Signature This value can be found on a storage device with an MBR (Master Boot Record) i.e. NTFS drive. Example: 6a bb 6a bb
Windows Registry Device Signature This value can also be found in the SYSTEM registry file and associated with a mounted device. Example: 6a bb 6a bb is C:\
Windows Registry \Users\%User%\NTUSER.DAT This file is altered when a user logs on—and sometimes in normal use. Contains a user name that can be matched to SID (Secure IDentifier) User Assist Key (programs activated)
Windows Forensics Forensic Value in the Registry Last logged on user HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Account that last logged onto the system Last key edited by RegEdit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit One way to detect interactive registry manipulation
Windows Forensics Registry Forensics Cookbooks and procedures that require an examination of particular registry keys are not supported in sound forensic practice. Any policy that specifies a particular procedure will only serve to bind the examiner and may be used against him/her. Such locations may change with new versions or not be present or useful if the system has been altered.
Windows Forensics Forensic Value in the Registry Attached Devices HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB List of installed USB devices USB Storage HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR External storage used to bring files to a system or remove them
Windows Forensics Entries for each unique device are stored under their unique serial number. The ParentIdPrefix is a serial number for the device and can be associated with a storage volume. Windows writes a Device ClassID that can be checked against the setuapi.dev.log to determine the first connection for that CLASS of device. If there is one instance of the device, that will be it. If there are multiple instances of the same device type, it will only tell the first date. More on the ClassID below. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ creates a class entry to identify the driver. Within this key, it creates unique instances based on the serial number from the USB controller or a system generated value. If the unique ID has an ampersand (&) as the second character, it indicates a system generated value. This value is based on information in the Device Descriptor section from the USB Controller. It can be read with UVCView (see 1, below), but will not be imaged during normal forensic acquisition. I have confirmed that the system generated value changes with each system and serial numbers from the USB controller are stable—but not completely reliable. Serial numbers can easily be reprogrammed, but it is unlikely to happen by accident. (see 2, below) Over the years, I have found that many USB devices are programmed with a non-unique serial number (especially the cheap ones that DoJ provided from China). I had a class of LEO’s try at least 30 from one run DoJ distributed and found all had the same serial number. Name brand devices have always had unique numbers in my experience. Counterfeits with altered drive sizes tend to have the same serial number too according to the Web and my 2 cases involving that issue. You can match the unique instance to the mounted volume using the ParentIDPrefix. By drilling down in the Control Set. The Device GUID identifies the ClassID (the value that contained several unique devices of one type –i.e. using one driver) after the Friendly Name. The Volume GUID identifies the ParentPrefixID. The write dates for the GUID keys tells the last attached time. FOOTNOTES There is a utility called UVCview (see https://msdn.microsoft.com/en-us/library/windows/hardware/ff554257(v=vs.85).aspx) from Microsoft that allows you to read the Controller of a USB device. For a good reference on USB serial numbers and reliability, see https://fixfakeflash.wordpress.com/ Windows 7 changed this a little with Compatible IDs see https://msdn.microsoft.com/windows/hardware/drivers/install/compatibleid-registry-subkey
Windows Forensics UVCView
Windows Forensics Firewire 1394 is less useful because it does not register unique ID’s.
Windows Forensics Forensic Value in the Registry User Assist Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB List of installed USB devices
Windows Forensics User Assist Key This is an obfuscated registry entry that tracks the user interface. For example: programs initiated through Windows Explorer.
Windows Forensics Spotting User Assist Information HRZR_EHACNGU = UEME_RUNPATH User Assist entries are obfuscated with Rot-13.
Windows Forensics Early session shows driver installation. UEME_CTLSESSION Intel Mobile chipset
Windows Forensics This later entry shows the use of the ntbackup utility from the E:\ drive (an external).
Windows Forensics Working with Registry Files Applications that store information to the registry usually do not save their information until they are closed. Users cannot access certain registry files while the system is running (for example SAM) “Live” forensic tools can copy the SAM using the Windows API rather than the File System Object. It is functionally impossible to enumerate all areas of the registry of forensic interest. The nature of the investigation and a basic knowledge of the registry contents may suggest the most productive areas to explore.
Windows Forensics Logs Event logs C:\Windows\System32\config or C:\Windows\System32\winevt\Logs The .evt and evtx files are the system logs SetupAPI Device Log C:\windows\inf\setupapi.dev.log Log that can help confirm when devices are first installed
Windows Forensics Directories Temp folder C:\Users\%User%\AppData\Local\Temp Working space with only user-level privileges is very convenient for malware and attackers Windows Prefetch C:\Windows\Prefetch Windows Prefetch is a feature in Windows that is meant to speed up commonly executed application and boot load times by recording what on the system is accessed. It leaves a prefetch file that can be used to identify executables run on the system.
Windows Registry Intellectual Property Theft In a typical case, an employee may suddenly leave the company and go to work for a contractor or competitor. The investigation is often initiated on a hunch or if clients notify the former employer that they are being solicited. Depending on the company’s policy, an investigator will usually have access to the departing employee’s desktop and laptop.
Windows Registry Intellectual Property Theft Litigation and employee malfeasance are increasingly coming to the attention of corporate leadership. Computer security policies and response plans must now consider these risks. Retaining a departing employee’s hard disk (rather than repurposing) is just as important as changing passwords.
Windows Registry Productive areas for analysis include: Attached storage devices Link files to external devices Evidence of wiping software Use of corporate E-mail system to send confidential files to external addresses (often personal addresses) Webmail accounts References to competitor/contractors regarding employment
Windows Registry The SYSTEM file contains a key called USBSTOR This key contains a list of every USB device that has been attached to that installation of Windows. It also contains the date that the device was last attached. The SYSTEM file also contains keys called 1394 (records Firewire devices) SCSI (records SATA devices on particular bridges). ExpressCard™ eSATA devices do not register in removable devices.
Monkies…lol Yeah, I know, it is an ape technically…whatever.