Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Examination of the Windows™ Registry

Published bySarah Caron Modified over 6 years ago

Similar presentations

Presentation on theme: "An Examination of the Windows™ Registry"— Presentation transcript:

1 An Examination of the Windows™ Registry
Windows™ Forensics An Examination of the Windows™ Registry

2 Windows Registry The Windows Registry Defies easy description.
Acts as a “central repository” for the user information and system information. Parts are stored in files and parts are generated on the fly.

3 Windows Registry Windows Registry (technical)
The registry is a persistent storage mechanism for system and user settings that can be accessed through Windows API calls to the HKEY values. This is not entirely useful as a starting definition.

4 Windows Registry Registry Hives HKEY_LOCAL_MACHINE (HKLM)
HKEY_CURRENT_CONFIG (HKCC) HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU)* HKEY_USERS (HKU) *HKCU is actually a symbolic link to the HKU of the user currently logged on.

5 Windows Registry Registry File Locations
%SystemRoot%\System32\config\... SAM, Security Accounts Manager contains passwords for users and groups SYSTEM, system configuration details. USB storage mapping SECURITY, permissions SOFTWARE, installed programs and settings \Users\%user%\ NTUSER.DAT, user data and protected storage

6 Windows Registry HKLM\SYSTEM\CurrentControlSet\Control\hivelist
Lists all the hives present on a system. Volatile Sub-keys Some keys within the hive are composed at boot time. They do not exist on disk. HKLM\HARDWARE HKLM\SYSTEM\Clone

7 Windows Registry Why Do We Locate the Files? Reason for the question:
Windows converts these files into hives that can only be accessed through regedit or similar program. Why not just use hive names? Answer: Static forensics allows us to access these protected files directly.

8 Windows Registry %Root%\System32\Config\SAM Logon passwords
No extension, just the file “SAM” This file is usually extracted for password cracking. It cannot be copied on an active system, but can be copied using other tools.

9 Windows Registry %Root%\System32\Config\SYSTEM
Mounted Devices (drive letter mappings of current and previously attached storage devices) UBSTOR current and previously attached storage devices with serial numbers or GUID. Many, many other system configuration variables. This file is invaluable for intellectual property theft cases.

10 Windows Registry Mounted Device
Storage media that is assigned a drive letter in a Windows system is considered a mounted device. Note: drive letters may change by either user action (device management) or through mounting and unmounting in different order.

11 Windows Registry Device Signature
This value can be found on a storage device with an MBR (Master Boot Record) i.e. NTFS drive. Example: 6a bb 6a bb

12 Windows Registry Device Signature
This value can also be found in the SYSTEM registry file and associated with a mounted device. Example: 6a bb 6a bb is C:\

13 Windows Registry \Users\%User%\NTUSER.DAT
This file is altered when a user logs on—and sometimes in normal use. Contains a user name that can be matched to SID (Secure IDentifier) User Assist Key (programs activated)

14

15 Windows Forensics Forensic Value in the Registry Last logged on user
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Account that last logged onto the system Last key edited by RegEdit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit One way to detect interactive registry manipulation

16 Windows Forensics Registry Forensics
Cookbooks and procedures that require an examination of particular registry keys are not supported in sound forensic practice. Any policy that specifies a particular procedure will only serve to bind the examiner and may be used against him/her. Such locations may change with new versions or not be present or useful if the system has been altered.

17 Windows Forensics Forensic Value in the Registry Attached Devices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB List of installed USB devices USB Storage HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR External storage used to bring files to a system or remove them

18 Windows Forensics Entries for each unique device are stored under their unique serial number. The ParentIdPrefix is a serial number for the device and can be associated with a storage volume. Windows writes a Device ClassID that can be checked against the setuapi.dev.log to determine the first connection for that CLASS of device.  If there is one instance of the device, that will be it.  If there are multiple instances of the same device type, it will only tell the first date.  More on the ClassID below. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ creates a class entry to identify the driver.  Within this key, it creates unique instances based on the serial number from the USB controller or a system generated value.  If the unique ID has an ampersand (&) as the second character, it indicates a system generated value.  This value is based on information in the Device Descriptor section from the USB Controller.  It can be read with UVCView (see 1, below), but will not be imaged during normal forensic acquisition.  I have confirmed that the system generated value changes with each system and serial numbers from the USB controller are stable—but not completely reliable.  Serial numbers can easily be reprogrammed, but it is unlikely to happen by accident.  (see 2, below) Over the years, I have found that many USB devices are programmed with a non-unique serial number (especially the cheap ones that DoJ provided from China).  I had a class of LEO’s try at least 30 from one run DoJ distributed and found all had the same serial number.  Name brand devices have always had unique numbers in my experience.  Counterfeits with altered drive sizes tend to have the same serial number too according to the Web and my 2 cases involving that issue. You can match the unique instance to the mounted volume using the ParentIDPrefix.  By drilling down in the Control Set.  The Device GUID identifies the ClassID (the value that contained several unique devices of one type –i.e. using one driver) after the Friendly Name.  The Volume GUID identifies the ParentPrefixID.   The write dates for the GUID keys tells the last attached time. FOOTNOTES There is a utility called UVCview (see from Microsoft that allows you to read the Controller of a USB device.  For a good reference on USB serial numbers and reliability, see Windows 7 changed this a little with Compatible IDs  see

19 Windows Forensics UVCView

20 Windows Forensics Firewire
1394 is less useful because it does not register unique ID’s.

21 Windows Forensics Forensic Value in the Registry User Assist Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB List of installed USB devices

22 Windows Forensics User Assist Key
This is an obfuscated registry entry that tracks the user interface. For example: programs initiated through Windows Explorer.

23 Windows Forensics Spotting User Assist Information
HRZR_EHACNGU = UEME_RUNPATH User Assist entries are obfuscated with Rot-13.

24 Windows Forensics Early session shows driver installation.
UEME_CTLSESSION Intel Mobile chipset

25 Windows Forensics This later entry shows the use of the ntbackup utility from the E:\ drive (an external).

26 Windows Forensics Working with Registry Files
Applications that store information to the registry usually do not save their information until they are closed. Users cannot access certain registry files while the system is running (for example SAM) “Live” forensic tools can copy the SAM using the Windows API rather than the File System Object. It is functionally impossible to enumerate all areas of the registry of forensic interest. The nature of the investigation and a basic knowledge of the registry contents may suggest the most productive areas to explore.

27 Windows Forensics Logs Event logs
C:\Windows\System32\config or C:\Windows\System32\winevt\Logs The .evt and evtx files are the system logs SetupAPI Device Log C:\windows\inf\setupapi.dev.log Log that can help confirm when devices are first installed

28 Windows Forensics Directories Temp folder
C:\Users\%User%\AppData\Local\Temp Working space with only user-level privileges is very convenient for malware and attackers Windows Prefetch C:\Windows\Prefetch Windows Prefetch is a feature in Windows that is meant to speed up commonly executed application and boot load times by recording what on the system is accessed. It leaves a prefetch file that can be used to identify executables run on the system.

29

30 Windows Registry Intellectual Property Theft
In a typical case, an employee may suddenly leave the company and go to work for a contractor or competitor. The investigation is often initiated on a hunch or if clients notify the former employer that they are being solicited. Depending on the company’s policy, an investigator will usually have access to the departing employee’s desktop and laptop.

31 Windows Registry Intellectual Property Theft
Litigation and employee malfeasance are increasingly coming to the attention of corporate leadership. Computer security policies and response plans must now consider these risks. Retaining a departing employee’s hard disk (rather than repurposing) is just as important as changing passwords.

32 Windows Registry Productive areas for analysis include:
Attached storage devices Link files to external devices Evidence of wiping software Use of corporate system to send confidential files to external addresses (often personal addresses) Webmail accounts References to competitor/contractors regarding employment

33 Windows Registry The SYSTEM file contains a key called USBSTOR
This key contains a list of every USB device that has been attached to that installation of Windows. It also contains the date that the device was last attached. The SYSTEM file also contains keys called 1394 (records Firewire devices) SCSI (records SATA devices on particular bridges). ExpressCard™ eSATA devices do not register in removable devices.

34 Monkies…lol Yeah, I know, it is an ape technically…whatever.

Download ppt "An Examination of the Windows™ Registry"

Similar presentations

Working with Disks and Devices

Working with Disks and Devices
Operating System Structures

Operating System Structures
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
COMP1321 Digital Infrastructure Richard Henson February 2012.

COMP1321 Digital Infrastructure Richard Henson February 2012.
®® Microsoft Windows 7 for Power Users Tutorial 5 Comparing Windows 7 File Systems.

®® Microsoft Windows 7 for Power Users Tutorial 5 Comparing Windows 7 File Systems.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 965202095 謝承璋 2008 年 05 月 07 日.

1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 謝承璋 2008 年 05 月 07 日.
Tutorial 11 Installing, Updating, and Configuring Software

Tutorial 11 Installing, Updating, and Configuring Software
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

Similar presentations

Ads by Google