15 registry forensics - villanova

Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

Registry Artifacts

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

REGISTRY• The registry is a “central hierarchal database” intended to store

information that is necessary to configure the system for one or more users, applications, and hardware devices.[1]

• Goldmine for digital forensics. • Registry Breakdown

• Hives (binary database files) • Keys & Subkeys (analogous to a folders) • Values (analogous to a file) • Type (strings, binary or DWORD) • Data

[1] http://support.microsoft.com/kb/256986


REGISTRY HIVES• SAM

– Local user accounts & groups • Security

– Security information used by the operating system to include password policies, group memberships, etc.

• System – Hardware and service configurations

• Software – Application settings

• NTUSER.dat – User settings, configuration and environment settings

• UsrClass.dat – More widely used in Vista/7/8 – Shellbag Information


REGISTRY HIVES• System Registry Hives

!!!

!!

• User Specific Registry Hives !!!!

• Backup System Registry Hives

XP/Vista/7/8 C:\Windows\System32\config\SAM

XP/Vista/7/8 C:\Windows\System32\config\SECURITY

XP/Vista/7/8 C:\Windows\System32\config\SYSTEM

XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE

XP C:\Documents and Settings\<USERNAME>\NTUSER.dat

Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat

Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat

Vista/7/8 C:\Windows\System32\config\RegBack


REGISTRY VALUE TYPES

REG_NONE No Value

REG_SZ Unicode or ASCII String

REG_BINARY Binary Data

REG_DWORD 32-bit Number

REG_LINK Unicode Symbolic Link

REG_QWORD 64-bit Number


VIEWING REGISTRY HIVES• Live System Analysis - regedit.exe


VIEWING REGISTRY HIVES• Offline Analysis - AccessData Registry Viewer

• http://marketing.accessdata.com/acton/attachment/4390/u-011c/0/-/-/-/-/

http://marketing.accessdata.com/acton/attachment/4390/u-011c/0/-/-/-/-/


VIEWING REGISTRY HIVES• Offline Analysis - MiTeC Windows Registry Recovery (WRR)

• http://www.mitec.cz/wrr.html

http://www.mitec.cz/wrr.html


EXTRACTING REGISTRY HIVES


LAST WRITE TIME• Last Write Time is recorded for each key in every hive. • Time is stored in UTC. • Time stamp reflects when a value has been added or updated.


SECURITY ACCOUNTS MANAGER (SAM)

• Security Identifier (SID) • Recycle Bin entries, file ownership and other artifacts refer to

a SID and not a username. • Microsoft Documented SID Accounts • Administrator = 500 • Guest = 501 • User Account = start at 1000

• Password fields can be misleading • Password Required = password policies applied to user

accounts do not apply to this account • We will work with a much better tool to determine if a

password was set for this account in the Encryption/Password lecture!

http://support.microsoft.com/kb/243330


SAM Hive


PROFILE LIST

• Details all profiles that have used the system to include local and domain users.

• SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList


• Current Control Set • SYSTEM\Select\Current • Answers the following questions:

• Which configuration files should be loaded? • If an error is detected, which configuration files should be tried next? • Which configuration files reported errors?

SYSTEM HIVE


• Computer Name: – SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

!!

• Time Zone: – SYSTEM\CurrentControlSet\Control\TimeZoneInformation

!!!

!• Last Access Timestamp:

– SYSTEM\CurrentControlSet\Control\FileSystem

SYSTEM HIVE


• Network Interfaces: – SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

SYSTEM HIVE


• User Shares Enable: – SYSTEM\CurrentControlSet\Services\lanmanserver\Shares !!!

• System Shutdown Timestamps and Counters (XP): – SYSTEM\CurrentControlSet\Control\Windows – SYSTEM\CurrentControlSet\Control\Watchdog\Display

SYSTEM HIVE


• Operating System Version: – SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE HIVE


• Historical Networks (Vista/7/8): – Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures

\Managed – DnsSuffix = Domain – FirstNetwork = SSID – DefaultGatewayMac = Media Access Control (MAC) Address of Gateway – Last Written Time = Last time the computer connected to this network.

SOFTWARE HIVE


• Historical Networks (Vista/7/8): – Not Managed by a Domain

– SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

SOFTWARE HIVE


• Network Type: – SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} (XP) – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList

\Profiles (Vista/7/8) » NameType 0x47 = Wireless » NameType 0x06 = Wired » NameType 0x17 = Broadband » Date fields are recorded as 128-bit System date …. use Dcode

to convert.

SOFTWARE HIVE


• Various Registry Locations: – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\Run – SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run – SYSTEM\CurrentControlSet\Services

• (0x02 = start)

AUTO-START PROGRAMS


• Windows XP Search History – NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru

• Windows 7 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\WordWheelQuery !!!!!!!

• Windows 8 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\SearchHistory

NTUSER.DAT HIVE


• Internet Explorer Typed URLs – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\TypedPaths

NTUSER.DAT HIVE


• Recently Accessed Files – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\RecentDocs – MRUList shows the order in which the files were accessed.

– The most recent file opened will be first.

NTUSER.DAT HIVE


• Microsoft Office Recent Documents • NTUSER.DAT\Software\Microsoft\Office\14.0\Word\FileMRU • NTUSER.DAT\Software\Microsoft\Office\14.0\Excel\FileMRU • NTUSER.DAT\Software\Microsoft\Office\14.0\Powerpoint\FileMRU

• Office XP - Version 10.0 • Office 2003 - Version 11.0 • Office 2007 - Version 12.0 • Office 2010 - Version 14.0

NTUSER.DAT HIVE


• Common Dialogs API (ComDlg32) • Open and Save As APIs

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU (XP)

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidMRU (Vista/7/8)

NTUSER.DAT HIVE


• Common Dialogs API (ComDlg32) • Last Visited - records specific executable used to open the files along with the

directory that was last accessed. • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\ComDlg32\LastVisitedMRU (XP) • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\ComDlg32\LastVisitedPidMRU (Vista/7/8)

NTUSER.DAT HIVE


• Commands Executed from the Run Box • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\RunMRU • MRU List provides the order in which the commands were executed.

NTUSER.DAT HIVE


• UserAssit • Records what application(s) a user has run, when and how many

times: – NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer

\UserAssist\{GUID}\Count

• Valuable resource to determine user activity and technical knowledge. • Values are encoded using a simple substation cipher (ROT13). • Run count starts a 6(?) …. some viewers will automatically adjust this

value so it is important to know what your tool is doing • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} = Executable File • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} = Shortcut File

Execution

NTUSER.DAT HIVE


• UserAssit • Win XP/Vista

• All values begin with • UEME_RUNPATH

• Launched from the Absolute Path • UEME_RUNCPL

• Launched from the Control Panel Applet • UEME_RUNPIDL

• Launched from a Shortcut • UEME_UIQCUT

• Launched from the Quick Launch Menu • UEME_UISCUT

• Launched from a Desktop Shortcut • UEME_UITTOOLBAR

• Launched from the Windows Explorer Toolbar

NTUSER.DAT HIVE


• UserAssit • Win 7/8

• http://www.aldeid.com/wiki/Windows-userassist-keys#Translation_of_directories

NTUSER.DAT HIVE

http://www.aldeid.com/wiki/Windows-userassist-keys#Translation_of_directories


• MUICache • Multi-language User Interface

• One more location to see if a program was executed even if the program was uninstalled.

• Timestamps are not recorded as each program is a value. • Win XP

• NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\MUICache

• Win 7/8 • USRCLASS.DAT\Local Settings\Software\Microsoft

\Windows\Shell\MuiCache • Consider processing Volume Shadow Copies (VSC)

NTUSER.DAT HIVE


• https://code.google.com/p/regripper/wiki/RegRipper

RegRipper

https://code.google.com/p/regripper/wiki/RegRipper


RegRipper


RegRipper Plugins• List All Plugins

• rip -l


RegRipper Plugins


• USB devices are commonly used to transferring data. • Determine how the user is using the system • Identify other devices that may be important to the investigation • Determine the first time a USB drive was connected to the

system. • Determine the last time a USB drive was connected to the

system. • Artifact Locations:

USB FORENSICS

XP/Vista/7/8 C:\Windows\System32\config\SYSTEM

XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE

XP C:\Documents and Settings\<USERNAME>\NTUSER.dat

Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat

XP C:\Windows\setupapi.log

Vista/7/8 C:\Windows\inf\setupapi.dev.log


• Device’s serial number • SYSTEM\CurrentControlSet\Enum\USBSTOR

– Vendors “should” manufacture USB devices with unique serial numbers. – Not all devices comply with the standard

– Devices that do not have a unique serial number will have an “&” as the 2nd character.

– “Last Written Date” is the first time the device was connected to the system since the last reboot.

USB FORENSICS


• Device’s Volume Name (Windows 7/8) • SOFTWARE\Microsoft\Windows Portable Devices\Device

USB FORENSICS


• Device’s Mapped Drive Letter (Windows XP/7/8) • SYSTEM\MountedDevices

• Windows XP uses the device’s ParentIdPrefix

USB FORENSICS


• Determine which user used the USB device (Windows 7/8) • SYSTEM\USBSTOR\<DEVICE>\<Serial#>\Device

Parameters\Partmgr

USB FORENSICS


• Determine which user used the USB device 2 (Windows 7/8) • SYSTEM\MountedDevices

USB FORENSICS


• Determine which user used the USB device (Windows 7/8) • NTUSER.DAT\Software\Microsoft\Windows

\CurrentVersion\Explorer\Mountpoints2

USB FORENSICS


• When was the USB device first used? (Windows 7/8) • C:\Windows\inf\setupapi.dev.log

USB FORENSICS


• When was the USB device last used? (Windows 7/8) • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion

\Explorer\MountPoints\{GUID} • Key’s Last Write Timestamp

USB FORENSICS


USB FORENSICS - AUTOMATED• USBDeviceForensics

• http://www.woanware.co.uk/forensics/usbdeviceforensics.html

http://www.woanware.co.uk/forensics/usbdeviceforensics.html


USB FORENSICS - AUTOMATED


• Store user specific preferences for Windows Explorer. • Shows browsing habits and knowledge of content by a user. • Uncover evidence of a deleted folder structure.

• Registry Location: !!!!!

• The following changes will cause a ShellBag key to be updates: • Window Size • View Options • Viewing File in Thumbnail Format • Sorting Options

SHELL BAGS

XP/Vista/7/8 USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

XP/Vista/7/8 USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsMRU

XP/Vista/7/8 NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

XP/Vista/7/8 NTUSER.DAT\Software\Microsoft\Windows\Shell\Bag


SHELL BAGS


EXTRACTING SHELLBAGS• sbag.exe

• Download - https://www.tzworks.net/download_links.php • Info - https://www.tzworks.net/prototype_page.php?

proto_id=14

https://www.tzworks.net/download_links.php

https://www.tzworks.net/prototype_page.php?proto_id=14


EXTRACTING SHELLBAGS