- Microsoft Windows Unquoted Service Path Enumeration vulnerability. Windows Registry “The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.” - Microsoft Windows Unquoted Service Path Enumeration vulnerability.

In This Lecture: Windows Registry Overview Registry Structure Hive File Structure Registry Parsing Tools

Windows Registry Always been a central component of Windows and of Windows forensics. Any OS must be able to store system and user configurations and settings. Originally everything stored in text .INI files. Windows 3.1 created the Registry concept. Used the Component Object Model (COM) to enable inter-process communication and dynamic object creation. Since been expanded on to include most Windows settings and enable the multi-user structure.

Windows Registry Can think of the Registry as a structured database of: The OS’s configurations and settings Running services’ and installed applications’ settings. Users’ preferences and profile data. Can also think of the Registry hive as a log file - various systems and user activity is recorded within complete with modification to time stamps. Registry use is not mandatory for installed applications. Registry knowledge base article: https://support.microsoft.com/en- us/help/256986/windows-registry-information-for-advanced-users

Registry Structure - Overview The Registry is comprised of hives. Each hive begins with a root key. Root key anchors a tree of subkeys and values. Everything in the registry is either a key, value. Each hive is comprised of multiple files within the file system. On live boxes access to some registry hives or keys is security controlled. Some registry data is temporary and only exists on live boxes. Artifacts in the registry can persist after their creator is deleted. Most things happening on the system are going to involve the registry.

Registry Keys Contain subkeys and values Similar to directories. Have the LastWrite time property. 64-bit FILETIME object specifying the last time the key was modified in some way. Recall FILETIME structure: https://support.microsoft.com/en- us/help/188768/info-working-with-the-filetime-structure Includes: Key creation Subkey or value creation, modification, or deletion. The hives are anchored using five root keys.

Registry Values Similar to files. Have three fields: Name Type Data Similar to file data/contents Do not have LastWrite times. Note that keys and subkeys can also have values and value data. That is, a subkey can have both values and more subkeys.

Root Keys Each root key stores different information and settings about the running system and the system’s users. Each root key is a file called a Registry hive. The Root Keys: HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_USER HKEY_CURRENT_CONFIG

Mapping Hives to Files The location of these registry hives are as follows: HKEY_LOCAL_MACHINE \SYSTEM : \system32\config\system HKEY_LOCAL_MACHINE \SAM : \system32\config\sam HKEY_LOCAL_MACHINE \SECURITY : \system32\config\security HKEY_LOCAL_MACHINE \SOFTWARE : \system32\config\software HKEY_USERS \UserProfile : \winnt\profiles\username HKEY_USERS.DEFAULT : \system32\config\default

Mapping Hives to Files Registry Hives can be composed of more than one file:

Mapping Hives to Files Some hives are volatile - temporary files created every time the system boots: HKEY_LOCAL_MACHINE \HARDWARE HKEY_LOCAL_MACHINE \SYSTEM \Clone To get full list of registry hives: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist Registry Backups Windows by default backs up the hives every 10 days. Backups done by the task at <System Volume> \ Windows \ System32 \ Tasks \ Microsoft \ Windows \ Registry Backups stored at <System Volume> \ Windows \ System32 \ config \ RegBack

Hive File Structure Registry files use 4KB blocks. The hive expands to use the whole block. The first cluster is called the base block. Hbin and Cell Hbin Container for holding cells. Has own header and signature. First hbin found directly after base block.

Hive File Structure Hbin and Cell Cell Data container in registry file Contains key, subkey, or value. Each type has own signature and data structure. “kn” signature means key

Hive File Write Operations First done in memory Uses “lazy write” procedure when writing to disk. When begins writing to hard drive, updates a sequence number before doing anything else. After finishing the write, updates a second sequence number. If the two sequence numbers differ, indicates corruption.

Analyzing Raw Hive File Data Using an example forensics2.dat registry file. Start with the first 200 bytes of the base block:

Analyzing Raw Hive File Offset Byte Length Value Desc. 0x0000 4 Regf File sig 0x004 0x00000055 FIrst sequence number 0x008 Second sequence number 0x000C 8 0x01D048BC17BA58E0 Lastwrite Time stamp: Decodes to Sun, 15 Feb 2015 01:09:48 UTC 0x0014 0x00000001 Major file version, 1 0x0018 0x00000003 Minor file version, 3. So this file format is v1.3 0x0024 0x00000020 Offset of first cell relative to first hbin 0x0030 64 C:\Users\Forensics2\ntuser.dat File path and name.Despite name of file under investigation, file name is ntuser.dat

Analyzing Raw Hive File Now let us look at the first hbin. Look to first 200 bytes after first 64Kb (4096 bytes, 0x1000 bytes):

Analyze Raw Hive Files Offset Byte Length Value Description 0x1000 4 hbin Signature 0x1004 0x00000000 Offset relative to first hbin signature. 0 because first hbin in the file 0x1008 2 Size of current hbin. Usually 4096 bytes or multiple thereof. The base block at 0x0024 told us the offset to first cell in first hbin is 0x20 Add to 0x1000 to get the offset from start of hive file: 0x1020

Analyze Raw Hive Files Offset Byte Length Value Description 0x1020 4 0xFFFFFF78 Negative size. Negative value means cell in use. Here -136 0x1024 2 nk nk signature means key node value 0x1026 0x002C Properties flags: 00101100 in bin. Bits mean compressed, nodelete, and hiveentryrootkey respectively. 0x1028 8 0x01D048B03FC412EF Lastwrite time stamp: Sat, 14 Feb 2015 23:45:01 UTC 0x1034 0x0600 Offset to parent key record.Can ignore here since this is a root key. 0x1038 0x0000000B Number of subkeys. Here is 11. 0x1040 0x00011E28 Pointer to list of subkeys under this root key. 0x104C 0xFFFFFFFF Pointer to list of values. Here indicated no values under this key. 0x106C 0x0034 Size of key name, 52 bytes. 0x1070 52 CMI-CreateHive{D43B12BB-09B5-40DB-B4F6-F6DFEB78DAEC} Name of the root key.

Analyze Raw Hive Files Can conclude this is a root key name CMI-CreateHive{ D43B12BB-09B5- 40DB-B4F6-F6DFEB78DAEC} with a size of 136 bytes, and this contains 11 subkeys and no values. Now to find the names of the subkeys. Know offset of subkey list is 0x11E28 relative to start of this hbin. Add 0x1000 to get offset in hive file of 0x12E28.

Analyzing Raw Hive Files

Analyzing Hive Files Offset Byte Length Value Description 0x12E28 4 0xFFFFFFA0 -96: in use cell of size 96 0x12E2C 2 lf Signature indicating list of subkeys 0x12E2E 0x000B Number of elements: 11 0x12E30 --- Each 8 bytes represents a subkey.

Analyzing Registry Files For each subkey, the first 4 bytes are the offset from beginning of hbin, last 4 bytes are a checksum. The offsets: 0x00011DC8, 0x00003C30, 0x00000EB8, 0x00000318, 0x00018BF0, 0x000499F0, 0x0001E2F0, 0x00006820, 0x00006BD8, 0x00000160, 0x00000C60 Add 0x1000 for offset relative to beginning of hive. Then view first 100 bytes. Each offset will point to another entry with a different name. Will see in the new entries, the parent cell offset is 0x0020, which is the offset of the first entry named CMI-CreateHive{ D43B12BB-09B5-40DB- B4F6-F6DFEB78DAEC}.

Analyzing Hive Files

Note: The RLO character Key and value names stored in ASCII format. However tools such as RegEdit are Unicode Aware Can insert the Unicode “rIght-to-left override” (RLO) control character (U + 202E). Causes Unicode aware applications to reverse the string when displaying. Consider the string “etadpupg”. Insert the RLO at the beginning. Will appear in RegEdit as “gpupdate” But OS thinks key name is “(U+202E)etadpupg”. Malware authors have used this technique to impersonate legitimate Registry entries. RegRipper rlo.pl plugin should detect use of this technique.

Recovering Registry Files Linux Dead Box Forensics - Obtain Registry files from Image Mount the image read only Copy the registry files Extract without mounting using Sleuth Kit. Browse on live Windows system.

RegEdit Built-in Windows tool. GUI Useful for browsing through the registry. Requires live box. Runs natively in OS and is designed for editing, so risks with forensic integrity.

RegistryRipper Cross Platform Open Source Tool Perl based Command line & GUI options Supports plug-ins Can run against entire Registry or specific hives. Not a browser. Not suited for analyzing live systems. Download from: https://github.com/keydet89/RegRipper2.8

RegistryRipper

Windows Sysinternals Suite used to troubleshoot the Windows system. Meant for lives systems. But can work against offline systems. Can be run as an administrator in Linux under WINE Available at https://docs.microsoft.com/en-us/sysinternals/

MiTeC Windows Registry Recovery Registry viewing program. Has options to filter registry by tasks such as start-up or userdata. Can be run in Linux under WINE. Available from: http://www.mitec.cz/wrr.html

Questions?