Registry 101 Registry 201 SAM artifacts

Slides:



Advertisements
Similar presentations
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
Advertisements

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
The Windows Registry Adapted from
Registry Analysis What is it? What does it contain?
File Management Systems
Michael Donovan, River Campus Libraries – 12/03 DocuShare Overview and Training.
Registry Structure What is it? What does it contain?
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Application Repackaging - Naushad Ali T Doddamani.
Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
OS and Application Files BACS 371 Computer Forensics.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
COMP1321 Digital Infrastructure Richard Henson February 2012.
ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.
1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 謝承璋 2008 年 05 月 07 日.
SIR SONS IN RETIREMENT Computer User Group.
Ch 11. Services A service is a specialized program that performs a function to support other programs Many services operate at a very low level – Interacting.
A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 8 Managing and Supporting Windows XP.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
1 Chapter Overview Configuring and Troubleshooting the Display Configuring Power Management Configuring Operating System Settings Configuring and Troubleshooting.
Introduction To Windows Operating Systems Manipulating Windows GUI
计算机系 信息处理实验室 Lecture 6 Management Mechanisms
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Windows Vista Inside Out Chapter 24 – Recovering From an Computer Crash Last modified am.
1 Windows 98 Ancillary Systems x The Process Scheduler provides system resources. The Windows Driver Model (WDM) allows Windows 98 and Microsoft Windows.
IT Essentials 1 Chapter 5 Windows 9x Operating Systems.
Managing Services and Registry Chapter 16 powered by dj.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
AL A. LAURIO Teacher Microsoft Windows Vista. DESKTOP is the main screen area that you see after you turn on your computer and log on to Windows. it serves.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
ACCESSDATA® FORENSICS Windows 7 Registry Introduction
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Module 2 Part II Introduction To Windows Operating Systems Manipulating Windows GUI Introduction To Windows Operating Systems Manipulating Windows GUI.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 2 Introducing Operating Systems.
Pasewark & Pasewark 1 Windows Vista Lesson 1 Windows Vista Basics Microsoft Office 2007: Introductory.
Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64
Chapter 2 – Introduction to Windows Operating System II Manipulating Windows GUI 1CMPF112 Computing Skills for Engineers.
Chapter Objectives In this chapter, you will learn:
Computer Literacy BASICS
Windows XP File Systems
Installing Software Tutorial 11.
Under the Windows Desktop
Tutorial 13 Windows Registry.
Understanding Operating System Configurations
Investigating Windows Systems
SYSTEM artifacts SECURITY artifacts SOFTWARE artifacts NTUSER.DAT
File Management.
Windows Operating Systems (Cont.)
CONFIGURING HARDWARE DEVICE & START UP PROCESS
Exploring Microsoft® Access® 2016 Series Editor Mary Anne Poatsy
Windows Under the Hood Chapter 13.
Windows Registry: Introduction
- Microsoft Windows Unquoted Service Path Enumeration vulnerability.
Bethesda Cybersecurity Club
Partitioning & Formatting
Windows Operating System
Presentation transcript:

Registry 101 Registry 201 SAM artifacts Windows Registry I Registry 101 Registry 201 SAM artifacts

Windows Registry What is windows registry? What is registry analysis? Core component, hierarchical database Configuration information When user had access, last time system had access, when a file been accessed. Hardware, software, users, applications, date and time What is registry analysis? Not just pressing a key and see the result Purpose of the Windows Registry What OS and application to do, where to put things and how to react. Examples: Clear the pages files when shut down Launch the game after shutdown and logout.

Registry Editor (regedit) Access : Regedit, reg.exe, Win key+R

Registry function Lets say you start MS Word and open a document in the recent files Windows API searches the registry for the Word CLSID identifier in Software file -> CLSID Windows then accesses Words “recent docs” setting in registry to identify the document Windows then locates the selected file and open it A very simplified view!

Investigate Volatile information Shown up when system is booted up or user logs in. Must be collected when the system is still running. HKEY_CURRENCT_USER hive. Does not exist on acquired image of the system. Contain VALUE named PROGRAM COUNT Number of programs you have running on desktop. HKEY_LOCAL_MACHINE\Hardware Information regarding the devices connected Current ControlSet, Current ControlSet00, Current ControlSet01 HKEY_CLASSES_ROOT When system boots up: HKEY_LOCAL_MACHINE\Software\Classes When user logs in: HKEY_CURRENT_USER\Software\Classes

Registry import/export Regedit export (save as type) Reg files (*.reg) Key – value pairs Registry Hive files (*.*no extension) Binary (for analysis) Text file backups (*.txt) Both fTk and fTk imager can export registry files from an image, either Navigate to them and export File > obtain protected files Gets registry files from the running computer There are considerable differences between how System Restore works under Windows XP and Windows Vista. In Windows XP, System Restore can be configured to use up to a maximum of 12% of the volume's space for most disk sizes [5], however this may be less depending on the volume's size. In Windows Vista, System Restore is designed for larger volumes and cannot be enabled on volumes smaller than 1 GB. [7] By default, it uses 15% of the volume's space. [6] Using the command-line tool Vssadmin.exe, the space reserved can be adjusted. Up to Windows XP, files are backed up only from certain directories. On Windows Vista, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder. [8] Up to Windows XP, it excludes any file types used for users' personal data files, such as documents, digital photographs, media files, e-mail, etc. It also excludes the monitored set of file types (.DLL, .EXE etc.) from folders such as My Documents. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, they should keep those files under My Documents. [5] When a rollback is performed, the files that were being monitored by System Restore are restored and newly created folders are removed. On Windows Vista however, it excludes only document file types; it does not exclude any file monitored type whatsoever of its location and operates on the entire volume.

Registry backup Restore points Regedit restore 4 way: Registry and certain system files C:\System Volume Information Created every 24h by default Up to 90 days R.P. big difference XP vs. Vista http://en.wikipedia.org/wiki/System_Restore Regedit restore 4 way: Import Double click .reg Right click .reg and merge Right click .reg and open regedit

Registry Have permissions based on user privileges (such as NTFS files) Windows Vista uses C:\WINDOWS\system32\config\regback folder instead of C:\WINDOWS\REPAIR for backups

FTK RV (Registry Viewer) Note that the "tree" structure is the same as in Windows Explorer. Also note: Hive Key / Subkey Values Hex Viewer values Properties pane Q: why is it better to use forensic tools for registry investigation?

FTK Registry Viewer Registry Viewer search (Edit >…) Standard search – Quick find Advanced search – Multiple key hit display Date search – Search by last written date Registry Reports (Report > …) Select keys and add Types: HTML Display key properties Standard bookmarks show all values Summary reports allow value selection

Location of Windows Registry DOS: Autoexec.bat (software setting) and Config.sys (hardware setting) Windows 3.x: .ini files Windows 9x: User.dat, system.dat Windows XP: SAM, Security, Software, System Windows Vista: SAM, Security, Software, System and Components User Specific Inforamtion: NTUSER.dat Win 2000, XP, 2003 > documents and setting directory Win 7 Users directory USRCLASS.dat

Registry issues No checksum or ability to self repair No ability to boot if corrupted No ability to edit if not booted No ability to transfer settings (hive files) to another system .reg files are ok System uses GUI interface for standard user access Not the most user friendly or efficient interface …

Forensic registry benefits MRUs (most-recently-used) Typed URLs System users Installed devices System time settings Registered user information Passwords and hashes Internet search queries and form data Date and time information of registry keys updates Network and wireless setting and connection information Some applications store the password in clear text in registry!

Hives Hives: Name format: HKEY_HIVE_NAME HKLM and HKU (real hives, registry root files, contain subkeys Made up of 4-KB sections or “bins” : regf block, hbin blocks “Regf”: first four bytes of a normal hive file. To identify the type of registry file. Every 4096 bytes a “hbin” block. Name format: HKEY_HIVE_NAME Often shortened as HKCU, HKLM etc. H = Handle HKLM and HKU (real hives, Are the real hives which are created from files at startup They create the three other hives as well (alias or linked) regf hbin hbin hbin

Hives HKU (HKEY_USER) Contains actively loaded user profiles and settings Stores information from all users who have ever logged on to the computer Default user profile Generates HKCU, HKCC and HKCR HKEY_USER HKEY_CLASSES_ROOT HKEY_CURRENT_ CONFIG HKEY_CURRENT_USER

HKCU (HKEY_CURRENTUSER) Contains the active current logged on user profile data from NTUSER.DAT Preferences, profile areas, mapped drives, MRU… etc. Copied from HKU upon logon Is sub classed in HKU > SID The Software subkey is the most interesting one which contains the majority of the information about the user HKEY_USER HKEY_CLASSES_ROOT HKEY_CURRENT_ CONFIG HKEY_CURRENT_USER

HKCU C:\Document and Settings\ <username>\NTUSER.dat In Vista: C:\Users\ <username>\NTUSER.dat Contains HKEY_CURRENT_USER hive information like: - Open and save files Wrapped URLs and commands Note: Sometimes you can find copies of the registry files in \ windows \ repair folder (vista regback) http://lastbit.com/arv/default.asp Alien Registry Viewer

Common Areas (Favorites) MRU = Most Recently Used Unicode HKCU

HKLM HARDWARE SAM SECURITY SOFTWARE SYSTEM HKCC HKLM HKCR Contains configuration information for the system (hardware and software) HARDWARE Created during boot up Tracks attached dynamic hardware settings Volatile - not stored as a file SAM Stores logon information about local users SECURITY Storage of passwords and other security info SOFTWARE Records global application information SYSTEM Archives info about hardware and system configuration HKLM HKCR HKCC

HKLM files Remember (HKLM) each user's profile  NTUSER.DAT

HKCC Contains data about the hardware profile Is sub classed in HKLM > SYSTEM > CurrentControlSet > Hardware Profiles > Current Generally of little forensic interest

HKCR HKCR per-user settings is mapped to the file system at Contains file extension associations and Class registrations which enable correct application to start for a certain file Is sub classed in HKLM > Software > Classes and HKCU > Software > Classes Example: open with option in right click on a file HKCR per-user settings is mapped to the file system at C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat subclassed HKCU > Software > Classes HKLM > Software > Classes HKLM > Software Global Setting User setting HKCU > Software

View active hives Navigate to

Hive Block Structure Registry files are constructed from two types of building blocks Regf blocks Hbin blocks

Hive Block Structure The first block of a Registry file only has a regf header. The block is 4096 bytes in length Contains Header Last updated date and time (offset 8) File name and path information (variable size from offset 48) Offset 0-3 regf signature Offset 12-19 last updated date and time

Hive block structure And a variable number of hbin blocks Remaining registry blocks (also 4096 bytes size each) The first hbin block begins after the regf block. Registry information is stored in hbin blocks. When one hbin block filled system will make a new hbin block. The space wont be removed and data is recoveable even after deleting. Offset 0-3 carry a header Offset 20-27 date and time in first block

Hive block structure Header size of 32 bytes Hive only grow in size Each hbin points to the previous hbin block (offset 4-7) Each hbin points to the next hbin block (offset 8-11) With an offset, always 0x00100000 (= 4kB in little endian when translated) Last updated offset 20-27, only first hbin 0x00000000 0x00001000 0x00002000 0x00003000 File adress regf hbin hbin hbin 0x00100000 0x00200000 Point to Header 0-3 Offset ptr prev 4-7 Offset ptr next 8-11 BE [00][10][00][00] LE [00][00][10][00]

Registry key cell structure Each hbin blocks stores the actual registry information (keys, subkeys, values and data) There are 7 types of cells in the hbin block nk – key name points to parent key and child keys/values If – subkey list (lh in some versions of XP) vk – key value, contains type and pointer to data sk – security key, contains Windows security descriptor Value list (no header/signature), simple list of pointers to value records Class information (no header/signature) Data (no header/signature), variable length raw value data Key names are likely to be the moste important forensic evidence of this group Note! Key names are reversed here because of endianess

Registry key cell structure

Registry value cell structure

Registry Value types

Resources: http://technet.microsoft.com/en-us/library/cc750583.aspx http://pogostick.net/~pnh/ntpasswd/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.