![Page 1: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/1.jpg)
CNIT 121: Computer Forensics
12 Investigating Windows Systems(Part 2)
![Page 2: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/2.jpg)
![Page 3: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/3.jpg)
The Windows Registry
![Page 4: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/4.jpg)
Purpose
• The registry contains configuration data for the Windows operating system and applications
• Many artifacts of great forensic value
![Page 5: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/5.jpg)
Hive Files• Binary files that store the Registry• Five main registry hives in %SYSTEMROOT%\system32\config
• SYSTEM, SECURITY, SOFTWARE, SAM, DEFAULT• User-specific hive files in each user's profile directory
• \Users\username\NTUSER.DAT• \Users\username\AppData\Local\Microsoft\Windows\USRCLASS.DAT
![Page 6: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/6.jpg)
Windows Profiles
• Created the first time a user interactively logs on to a system
• Users who connect over the network don't create a profile folder
![Page 7: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/7.jpg)
TermsKeys Values Data
![Page 8: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/8.jpg)
The Five Root Keys
![Page 9: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/9.jpg)
HKEY_USERS
![Page 10: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/10.jpg)
Virtual Key Paths• Dynamically created in a running system
• Not visible on a registry capture
![Page 11: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/11.jpg)
Registry Timestamps
• Only one: LastWriteTime
• Stored on a key, not value
• Changed when any value under the key is added, removed, or changed
• But not when subkeys' values are modified
![Page 12: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/12.jpg)
Example• Run key: programs that launch on system startup
• Cannot determine when these three Run items were added, without other evidence
![Page 13: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/13.jpg)
More Limitations• Windows frequently updates the
LastUpdateTime for large swaths of registry keys
• During updates, and sometimes even from a reboot
• Attackers cannot easily change registry timestamps, although SetRegTime can do this
• Link Ch 12o
![Page 14: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/14.jpg)
Registry Reflection and Redirection
• 64-bit Windows allows 32-bit software to run
• 32-bit programs are redirected by the W0W64 sybsystem to alternate registry keys, like
• HKLM\SOFTWARE\WoW6432Node
• This means 32-bit forensic software won't see the whole Registry
![Page 15: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/15.jpg)
Important Registry Keys
![Page 16: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/16.jpg)
System Configuration Registry Keys
![Page 17: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/17.jpg)
![Page 18: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/18.jpg)
USBSTOR
• Shows every USB device that has been connected
• A forensic examiner should look here first, to find out what other devices should be requested for discovery, by court order or search warrant
![Page 19: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/19.jpg)
![Page 20: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/20.jpg)
![Page 21: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/21.jpg)
Shim Cache
![Page 22: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/22.jpg)
Shim Cache• Also called "Application Compatibility Cache"
• Used to track special compatibility settings for executable files and scripts
• May include this data:
![Page 23: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/23.jpg)
Shim Cache
• Maintained in memory, written to the registry on shutdown
• Maintains up to 1024 entries
• More than Prefetch (128)
• includes apps that haven't executed yet
![Page 24: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/24.jpg)
ShimParser.py
![Page 25: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/25.jpg)
Common Auto-Run Registry Keys
![Page 26: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/26.jpg)
Auto-Run Keys (Auto-Start Extensibility Points)• Load programs on system boot, user login, and
other conditions
• Commonly used by malware to attain persistence
• Windows provides hundreds of registry-based persistence mechanisms
• Some are still undocumented
![Page 27: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/27.jpg)
Services• Most common and widely used persistence
mechanism
• Services run in the background
• Usually under one of these login accounts
• Local System (most powerful)
• Network System
• Local Service
![Page 28: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/28.jpg)
Services in the Registry
• Each service has its own subkey under
• HKLM\CurrentControlSet\services\servicename
![Page 29: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/29.jpg)
![Page 30: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/30.jpg)
![Page 31: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/31.jpg)
ServiceDLL
• Most services are DLL, not EXE files
![Page 32: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/32.jpg)
Service Control Manager
• Services.exe
• Launches Windows services upon startup
• Command-line "sc" command lets you examine, start, stop, and create services
![Page 33: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/33.jpg)
sc at Command line
![Page 34: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/34.jpg)
Services GUI
![Page 35: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/35.jpg)
One EXE Can Run Several Services
![Page 36: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/36.jpg)
Run Keys• Files in HKLM\SOFTWARE run on startup• Files in HKEY_USERS run on login
![Page 37: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/37.jpg)
Active Setup• Subkeys named with GUIDs (long random-looking
numbers)
• Malware authors often re-use GUIDs so Googling them can be useful
• StubPath points to an EXE that will run on startup
![Page 38: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/38.jpg)
AppInit_DLLs• DLLs that will be automatically loaded whenever
a user-mode app linked to user32.dll is launched
• Almost every app uses user32 to draw windows, etc. (link Ch 12p)
![Page 39: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/39.jpg)
LSA (Local Security Authority) Packages
• Load on startup
• Intended for authentication packages, but can be used to launch malware
![Page 40: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/40.jpg)
Browser Helper Objects (BHOs)
• Add-ons or plug-ins for Internet Explorer
• Such as toolbars, adware, scareware
![Page 41: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/41.jpg)
Shell Extensions• Like Browser Helper Objects, but for Windows
Explorer
• Add context items when right-clicking a file
![Page 42: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/42.jpg)
Shell Extensions
![Page 43: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/43.jpg)
Winlogon Shell• The shell that loads when user logs on
• Normally set to Explorer.exe
• Can be set to any executable file
![Page 44: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/44.jpg)
Winlogon Userinit• Loads logon and group policy scripts, other
auto-runs, and the Explorer shell
• Attackers can append additional executables to this value
![Page 45: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/45.jpg)
Identifying Malicious Auto-Runs
• Eye-ball it, looking for suspicious files or paths, spelling errors, broken English, etc.
• Risky; real commercial software is often sloppily made, and some attackers are careful
• Next slide: which item is malicious?
![Page 46: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/46.jpg)
A
B
C
D
![Page 47: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/47.jpg)
![Page 48: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/48.jpg)
Recommended Steps1. Exclude persistent binaries signed by trusted
publishers (but not all signed binaries)
2. Exclude persistent items created outside the time window of interest
3. Examine paths of remaining persistent binaries
• Attackers tend to use Temp folders or common directories within %SYSTEMROOT%
• Not deeply nested subdirectories specific to obscure third-party applications
![Page 49: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/49.jpg)
Recommended Steps
4. Research MD5 hashes for remaining persistent binaries on VirusTotal, Bit9, etc.
5. Compare remaining unknowns against a known "gold image" used to install the systems
![Page 50: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/50.jpg)
Tools
• Sysinternals AutoRuns
• Mandiant Redline
![Page 51: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/51.jpg)
Signed Malware
• Attackers have been stealing code-signing signatures, and signing malware
• Also, not all legitimate persistent files, even Windows components, are signed
• Sometimes updates remove signatures
![Page 52: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/52.jpg)
User Hive Registry Keys
![Page 53: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/53.jpg)
Personalization• User hive registry keys contain personalization
settings for each user
• First priority: compromised accounts
• Acquire NTUSER.DAT and USRCLASS.DAT
• Check machine accounts, such as NetworkService and LocalSystem
• May also contain evidence
![Page 54: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/54.jpg)
Most Helpful User-Specific Keys
• Shellbags
• UserAssist
• MUICache
• Most Recently Used (MRU)
• TypedURLs
• TypedPaths
![Page 55: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/55.jpg)
Shellbags• Used to remember size,
position, and view settings of windows
• Persist even if a directory is deleted
![Page 56: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/56.jpg)
![Page 57: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/57.jpg)
Example Shellbags
• Link Ch 12q
![Page 58: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/58.jpg)
UserAssist• Tracks applications a user has launched
through the Windows Explorer shell
![Page 59: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/59.jpg)
UserAssist v. Prefetch• UserAssist only tracks items opened via
Explorer
• Including from the Run box and Start menu
• But not from the command prompt
• Prefetch files don't identify which user executed a program
![Page 60: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/60.jpg)
Obfuscated with ROT13
![Page 61: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/61.jpg)
MUICache• Another list of programs executed by a user
![Page 62: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/62.jpg)
Most Recently Used (MRU) Keys
• Used by many applications
• No standard registry path or value naming convention
![Page 63: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/63.jpg)
MRU-Blaster• Clears the MRU lists (link Ch 12r)
![Page 64: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/64.jpg)
Explorer Open and Save MRU
• RegRipper can find the data
![Page 65: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/65.jpg)
Start Menu Run MRU• Programs recently launched from the Run box
• Human-readable
![Page 66: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/66.jpg)
RecentDocs• Recently opened documents (any file extension)
• Used to populate File menu of various applications
![Page 67: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/67.jpg)
Internet Explorer TypedURLs & TypedPaths
![Page 68: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/68.jpg)
![Page 69: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/69.jpg)
Proves Intent• User typed (or pasted) these URLs into the
address bar
• Didn't just click a link
![Page 70: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/70.jpg)
Remote Desktop MRU• Used to remotely control Windows machines
• Maintains history of recent connections and configuration data
• May tell you where a user connected and who they attempted to log in as
![Page 71: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/71.jpg)
Registry Analysis Tools
![Page 72: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/72.jpg)
All-In-One Tools
• RegRipper (link Ch 10m)
• Windows Registry Decoder (link Ch 12s)
• AutoRuns
• Redline
![Page 73: CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)](https://reader034.vdocuments.us/reader034/viewer/2022042706/589dd1051a28abf45d8b622d/html5/thumbnails/73.jpg)
Single-Purpose Utilities• ShimCacheParser
• Shellbags.py
• sbag
• UserAssist
• Nirsoft Registry Analysis Tools