Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure

2 June 3, 2015 © Wiley Inc. 2007. All Rights Reserved 2 Chapter Topics: Registry History Registry Structure & Terms Registry Research Viewing Registry with Forensic Tools

3 Registry History Massive database of system and program configuration settings Legacy Windows (Windows 3.0) had config.sys, autoexe.bat, and several “ini” files Text files lacked hierarchical structure and couldn’t easily store binary data June 3, 2015

4 Registry History Windows 3.1 had first rudiments of registry Windows 95 / NT expanded it more along the lines of what we see today. Each subsequent release has resulted in increase in size and complexity of registry June 3, 2015

5 Registry Structure & Terminology At physical level, registry stored in hive files User rarely interfaces directly with registry Regedit is current interface tool (regedt32 legacy) – no known shortcut - Run > regedit June 3, 2015

6 Regedit Interface June 3, 2015 Key PaneValue Pane

7 Five Root Keys June 3, 2015

8 HKEY_CLASSES_ROOT Used to associate file types with programs that open them and also used to register classes for Component Object Model (COM) objects. It is the largest of the root keys in terms of the registry space it occupies. This key is derived from a linked merger of two keys, which are HKLM\Software\Classes and HKCU\Software\Classes. This merger effectively blends default settings with per user settings. June 3, 2015

9 HKEY_CURRENT_USER Used to configure the environment for the console user. It is a per-user setting (specific only to this user) and is a derived from a link to HKU\SID, where the SID is the user’s security identifier. June 3, 2015

10 HKEY_CURRENT_CONFIG Used to establish the current hardware configuration profile. This key is derived from a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current. Current is derived from a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\####, where #### is a number that increments starting at “0000”. HKLM\SYSTEM\CurrentControlSet, in turn, is a link to HKLM\SYSTEM\ControlSet###, where ### is a number that increments starting at 000. The value located in HKLM\SYSTEM\Select\Current determines which control set is current and therefore which ControlSet is to be used to create this key via a link. June 3, 2015

11 HKEY_LOCAL_MACHINE Used to establish the per-computer settings. Settings found in this key apply to the machine and all of its users, covering all facets of the computer’s function. This key is a master key and is not, therefore, derived from any link as are the previous three keys. During system startup, the local machine settings are loaded before the user specific settings. June 3, 2015

12 HKEY_USERS Used to contain the user environment settings for the console user as well as other users who have logged onto the system. There will be at least three subkeys, which are “.DEFAULT,” “SID,” and “SID_Classes,” where the “SID” is that of the console user. You may also find SID’s “S-1-5-18,” “S-1-5-19,” and “S-1-5-20,” which are for the “LocalSystem,” “LocalService,” and “NetworkService” accounts, respectively. Any other SID’s found here will below to other users who have logged on to the machine. This key is a master key and is not, therefore, derived from any link as are the first three keys (the ones that are unbolded). June 3, 2015

13 Derived vs Master Only HKEY_LOCAL_MACHINE (HKLM) & HKEY_USERS (HKU) are Master Keys The remaining root keys are derived from other keys At a physical level, each of the logical master keys has its source data in files called hives June 3, 2015

14 HKLM Subkeys June 3, 2015 Hardware is dynamic and exist only on a live machine!

15 HKLM Keys > Hive Files June 3, 2015 H IVE K EY H IVE F ILE HKLM\SAM%SYSTEMROOT%\System32\config\SAM HKLM\SECURITY%SYSTEMROOT%\System32\config\SECURITY HKLM\SOFTWARE%SYSTEMROOT%\System32\config\software HKLM\SYSTEM%SYSTEMROOT%\System32\config\system

16 The Evidence Vault June 3, 2015

17 HKU Keys > Hive Files June 3, 2015 H IVE K EY H IVE F ILE HKU\.DEFAULT%SYSTEMROOT%\System32\config\default HKU\S-1-5-19Documents and Settings\LocalService ntuser.dat HKU\S-1-5-19_ClassesDocuments and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat HKU\S-1-5-20Documents and Settings\NetworkService ntuser.dat HKU\S-1-5-20_ClassesDocuments and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat HKU\SIDDocuments and Settings\UserName\ntuser.dat HKU\SID_ClassesDocuments and Settings\UserName\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

18 HKLM\SYSTEM\CurrentControlSet\Control\hivelist June 3, 2015

19 Determining Current Control Set June 3, 2015

20 Registry Value Data Types June 3, 2015 D ATA T YPE N UMBER D ESCRIPTION REG_NONE0Data type is not defined REG_SZ1Fixed length text string expressed in user-friendly format, which is often used to describe components REG_EXPAND_SZ2Variable or expandable length data string REG_BINARY3Binary data that is displayed in editor as hex REG_DWORD432-bit double word values and the most common data type found in the registry REG_DWORD_LITTLE_ENDIAN432-bit double word values with bytes in reverse order. As Intel already store data in this format, this term is synonymous with REG_DWORD and they have the same numeric value REG_DWORD_BIG_ENDIAN532-bit double word value with bytes in normal order with the highest bit appearing first REG_LINK6An internal-use only data type for Unicode symbolic link REG_MULTI_SZ7Multiple string field in which each string is separated by a null (00h) and with two nulls (00 00) marking the end of the list of strings REG_RESOURCE_LIST8Listing of resource lists for devices or device drivers (REG_FULL_RESOURCE_DESCRIPTOR). You can view, but not edit these lists.

21 Search in Regedit June 3, 2015

22 Registry Analysis Tools Regmon (Microsoft) User Assist Analyzer (http://didierstevens.wordpress.c om/)http://didierstevens.wordpress.c om/ Access Data’s Registry Viewer Access Data’s Imager EnCase (View File Structure) June 3, 2015

23 Viewing Registry with Forensic Tools Forensic Tools –Access Data – Registry Viewer –EnCase – View File Structure –ProDiscover –Others Off-line registry differs from live registry Mount / Open Hive Files Don’t expect to see derived or dynamic keys June 3, 2015 © Wiley Inc. 2007. All Rights Reserved 23

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure."

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Windows Under the Hood.

Windows Under the Hood.
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Investigating.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
The Windows Registry Adapted from

The Windows Registry Adapted from
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
1 JMH Associates © 2004, All rights reserved Chapter 2-3 Supplement Registry Programming.

1 JMH Associates © 2004, All rights reserved Chapter 2-3 Supplement Registry Programming.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Similar presentations

Ads by Google