Presentation is loading. Please wait.

Presentation is loading. Please wait.

Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity."— Presentation transcript:

1 Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity –Restore Points

2 System Information Located in the Current Control Set If the systemm is not active must find the Control Set that was current Time zone Shares Audit policy Wireless SSIDs

3 Current Control Set CurrentControlSet is a volatile portion of the Registry Which of the 2 or more Control Sets are Current The following indicate that #1 is current

4 Time Zone Information SYSTEM\ControlSet001\Control\TimeZoneInformation

5 Computer Name HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName

6 Shutdown Time HKLM\SYSTEM\CurrentControlSet\Control\Windows HKLM\SYSTEM\ControlSet001\Control\Windows Time is measured in the number of 100-nanosecond intervals since 1 January 1601.

7 Shares Windows 2K, XP, 2003, and Vista create a number of administrative shares –IPC$ - IPC share –ADMIN$ - shares that refer to the root of dirves C$, D$, etc. User enabled shares show up in HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares

8 Wireless SSIDs XP Laptops maintain a list of service set IDs The GUID is associated with the wireless interface Under the Static#000x lists all of the SSIDs connected

9 SSIDs A different Static#000x for each SSID ever connected to.

10 SSID Registry Entry At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian. “0b 00 00 00” = 0x 00 00 00 0b = 11 10 SSID LengthSSID

11 Autostarts Applications that are launched without any interaction from the user Often at boot time Occasionally upon launch of a app.

12 Autostart Locations Auto-start extensibility points (ASEPs) Registry locations HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run And elsewhere All over the place

13 Autostart Locations Start -> run -> msconfig Lists some of the acknowledge startups

14 Startup Locations

15 Other Startup Locations System boot User Login User Activity See Carvey’s Ch4 spreadsheet for more locations

16 System boot Startup services at boot time are contained in HKLM\SYSTEM\CurrentControlSet\Services The services are enumerated with parameters Should be sorted by LastWriteTime Only possible in FTK or ProDiscover

17 ControlSet\Services

18 Boot Time Apps Start value = 2, the app starts on boot time.Star value != 2 starts on user logon

19 Evil Start Time Services Generally LastWrite times should be about the same time the system was built. Later dates would suggest that an intruder of sysadmin was altering the boot time sequence

20 User Login Startup Keys are parsed in order when a user logs in: 1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run 4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run 5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run 6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce The run keys are ignored if started in Safe Mode

21 #3 On the Startup List

22 User Activity On user action certain registry keys are accessed Keys for other Classes of files control what happens when that file is opened Or when the file is double-clicked

23 Example Go to: HKLM\Software\Microsoft\CommandProcessor\AutoRun Right click on AutoRun Select Modify Enter sol.exe in the Value data: field. Start -> run -> cmd.exe This is the how one can modify application behavior Used by much malware to launch backdoors or an IRCbot

24 AutoRuns from Sysinternals

25 Hijacked App

26 USB Devices Tracking USB devices When mounted on Windows they leave Footprints in the Registry Artifacts in the setupapi.log file The PnP Manager queries the device descriptor Located in the thumb drive’s firmware Log updated Creates a Registry Key in HKLM\System\CurrentControlSet\Enum\USBSTOR

27 USBSTOR Key

28 Device Held ID CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61 Manufacturer Model Version Device class ID Unique Instance ID Serial Number

29 System Created Key Disk&Ven_JMTek&Prod_USBDrive&Rev_7.77 ManufacturerModelVersion Device class ID Unique Instance ID No Serial Number Made up by system

30 Device Information HKLM\SYSTEM\MountedDevices List of recently Mounted Devices Look down the list for \DosDevices\ The REG_BINARY data field should start with 5C 00 3F00 3F 00 To find which device this is right click on the device Select Modify

31 USBSTORE ParentIdPrefix Unique Instance ID Serial Number

32 USB Devices Tracking By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline CurrentUser\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 May give more information

33 Mounted Devices

34 Binary Data in \DosDevices\G: ParentIdPrefix matches the Kingston Traveler in the USBSTORE key

35 Research Topic USB devices Some USB Devices have a Device ID, others do not Some generate a ParentIdPrefix others do not Some Correlate to the MountedDevices ID others do not Sort it out Use references to the the Microsoft Knowledge Base

Download ppt "Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity."

Similar presentations

Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.

Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.

Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
EFS e-Forensic Services Inc.

EFS e-Forensic Services Inc.
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Microsoft Windows in Amazon Cloud Ishwor Thapa January 20, 2011.

Microsoft Windows in Amazon Cloud Ishwor Thapa January 20, 2011.
Week:#14 Windows Recovery

Week:#14 Windows Recovery
XP New Perspectives on Microsoft Office Access 2003, Second Edition- Tutorial 1 1 Microsoft Access 2003 Tutorial 1 – Introduction To Microsoft Access 2003.

XP New Perspectives on Microsoft Office Access 2003, Second Edition- Tutorial 1 1 Microsoft Access 2003 Tutorial 1 – Introduction To Microsoft Access 2003.
File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.

File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.
A+ Guide to Managing and Maintaining Your PC, 7e

A+ Guide to Managing and Maintaining Your PC, 7e
8/10/2015Windows 71 George South. 8/10/2015Windows 7 2 1. Windows Vista Windows Vista was released in January 2007 some five years after Windows XP Vista.

8/10/2015Windows 71 George South. 8/10/2015Windows Windows Vista Windows Vista was released in January 2007 some five years after Windows XP Vista.
Working with the Windows XP Registry

Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
© 2009 Autodesk Troubleshooting common installation problems TS14868637 AutoCAD (LT) Product Support By Tom Stoeckel.

© 2009 Autodesk Troubleshooting common installation problems TS AutoCAD (LT) Product Support By Tom Stoeckel.

Similar presentations

Ads by Google