Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.

Slides:



Advertisements
Similar presentations
Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.
Advertisements

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
EFS e-Forensic Services Inc.
System Center Configuration Manager Push Software By, Teresa Behm.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Microsoft Windows in Amazon Cloud Ishwor Thapa January 20, 2011.
Week:#14 Windows Recovery
XP New Perspectives on Microsoft Office Access 2003, Second Edition- Tutorial 1 1 Microsoft Access 2003 Tutorial 1 – Introduction To Microsoft Access 2003.
File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.
A+ Guide to Managing and Maintaining Your PC, 7e
8/10/2015Windows 71 George South. 8/10/2015Windows Windows Vista Windows Vista was released in January 2007 some five years after Windows XP Vista.
Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
© 2009 Autodesk Troubleshooting common installation problems TS AutoCAD (LT) Product Support By Tom Stoeckel.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
Ch 11 Managing System Reliability and Availability 1.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
Module 3: Resolving Boot Process Issues. Overview Understanding the Boot Process Using Advanced Boot Options Using the Boot.ini file to Change Startup.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.
Chapter 1-3 The Ethernet LAN. Ethernet The networking protocol used in most modern computer networks is Ethernet. Ethernet is a CSMA/CD LAN protocol.
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e Chapter 7 Fixing Windows Problems.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 8 Managing and Supporting Windows XP.
Troubleshooting Windows Vista Security Chapter 4.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
Installing SIGNZ on a stand- alone machine. These slides will guide you through the installation of the SIGNZ ‘server’ and ‘client’ components on one machine.
Windows Vista Inside Out Chapter 22 - Monitoring System Activities with Event Viewer Last modified am.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
®® Microsoft Windows 7 for Power Users Tutorial 9 Evaluating System Performance.
Chapter 5: Defining the Role of the Operating System
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
Lesson 1-Logging On to the System. Overview Importance of UNIX/Linux. Logging on to the system.
Ch 3. File Types and File Extensions File extensions are hidden by default –This prevents people from changing them –It's difficult to tell files with.
1 Windows 98 Ancillary Systems x The Process Scheduler provides system resources. The Windows Driver Model (WDM) allows Windows 98 and Microsoft Windows.
Supporting Windows 9x Chapter 12 Key Terms By Bill Ward.
The Windows Registry as a forensic resource Harlan Carvey /$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi: /j.diin
Getting to Know Your Computer Your File System Applications What’s running on your machine Its own devices Networking.
CSCI 1033 Computer Hardware Course Overview. Go to enter TA in the “Enter Promotion Code” box on the bottom right corner.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Optimizing Windows Vista Performance Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Introducing ReadyBoostTroubleshoot performance.
Understand Audit Policies LESSON Security Fundamentals.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
WELCOME. Skills and Techniques - Session 2 Skills and Techniques Booting from Windows 8.1 and Windows 10 devices.
Advance startup options Shift Restart. Restart options.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Fixing Windows 10 Automatic Updates Install Problem
Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64
How To Prevent AVG Antivirus 2017 From Starting Up.
Chapter Objectives In this chapter, you will learn:
In the below tutorial, you can find the different methods to Boot Windows 10 in Safe Mode : Open System Configuration in Windows 10 is using the Run.
An Examination of the Windows™ Registry
SYSTEM artifacts SECURITY artifacts SOFTWARE artifacts NTUSER.DAT
Registry 101 Registry 201 SAM artifacts
Booting Up 15-Nov-18 boot.ppt.
4.6 Attached device analysis
Correlating Artifacts
Presentation transcript:

Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity –Restore Points

System Information Located in the Current Control Set If the systemm is not active must find the Control Set that was current Time zone Shares Audit policy Wireless SSIDs

Current Control Set CurrentControlSet is a volatile portion of the Registry Which of the 2 or more Control Sets are Current The following indicate that #1 is current

Time Zone Information SYSTEM\ControlSet001\Control\TimeZoneInformation

Computer Name HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName

Shutdown Time HKLM\SYSTEM\CurrentControlSet\Control\Windows HKLM\SYSTEM\ControlSet001\Control\Windows Time is measured in the number of 100-nanosecond intervals since 1 January 1601.

Shares Windows 2K, XP, 2003, and Vista create a number of administrative shares –IPC$ - IPC share –ADMIN$ - shares that refer to the root of dirves C$, D$, etc. User enabled shares show up in HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares

Wireless SSIDs XP Laptops maintain a list of service set IDs The GUID is associated with the wireless interface Under the Static#000x lists all of the SSIDs connected

SSIDs A different Static#000x for each SSID ever connected to.

SSID Registry Entry At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian. “0b ” = 0x b = SSID LengthSSID

Autostarts Applications that are launched without any interaction from the user Often at boot time Occasionally upon launch of a app.

Autostart Locations Auto-start extensibility points (ASEPs) Registry locations HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run And elsewhere All over the place

Autostart Locations Start -> run -> msconfig Lists some of the acknowledge startups

Startup Locations

Other Startup Locations System boot User Login User Activity See Carvey’s Ch4 spreadsheet for more locations

System boot Startup services at boot time are contained in HKLM\SYSTEM\CurrentControlSet\Services The services are enumerated with parameters Should be sorted by LastWriteTime Only possible in FTK or ProDiscover

ControlSet\Services

Boot Time Apps Start value = 2, the app starts on boot time.Star value != 2 starts on user logon

Evil Start Time Services Generally LastWrite times should be about the same time the system was built. Later dates would suggest that an intruder of sysadmin was altering the boot time sequence

User Login Startup Keys are parsed in order when a user logs in: 1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run 4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run 5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run 6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce The run keys are ignored if started in Safe Mode

#3 On the Startup List

User Activity On user action certain registry keys are accessed Keys for other Classes of files control what happens when that file is opened Or when the file is double-clicked

Example Go to: HKLM\Software\Microsoft\CommandProcessor\AutoRun Right click on AutoRun Select Modify Enter sol.exe in the Value data: field. Start -> run -> cmd.exe This is the how one can modify application behavior Used by much malware to launch backdoors or an IRCbot

AutoRuns from Sysinternals

Hijacked App

USB Devices Tracking USB devices When mounted on Windows they leave Footprints in the Registry Artifacts in the setupapi.log file The PnP Manager queries the device descriptor Located in the thumb drive’s firmware Log updated Creates a Registry Key in HKLM\System\CurrentControlSet\Enum\USBSTOR

USBSTOR Key

Device Held ID CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61 Manufacturer Model Version Device class ID Unique Instance ID Serial Number

System Created Key Disk&Ven_JMTek&Prod_USBDrive&Rev_7.77 ManufacturerModelVersion Device class ID Unique Instance ID No Serial Number Made up by system

Device Information HKLM\SYSTEM\MountedDevices List of recently Mounted Devices Look down the list for \DosDevices\ The REG_BINARY data field should start with 5C 00 3F00 3F 00 To find which device this is right click on the device Select Modify

USBSTORE ParentIdPrefix Unique Instance ID Serial Number

USB Devices Tracking By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline CurrentUser\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 May give more information

Mounted Devices

Binary Data in \DosDevices\G: ParentIdPrefix matches the Kingston Traveler in the USBSTORE key

Research Topic USB devices Some USB Devices have a Device ID, others do not Some generate a ParentIdPrefix others do not Some Correlate to the MountedDevices ID others do not Sort it out Use references to the the Microsoft Knowledge Base

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.