Introduction

ACCESSDATA® FORENSICS

Forensic Analysis Incident Response eDiscovery Information Assurance

Windows 7 Registry Artifacts

Module Objectives

• Registry files of forensic importance– NTUSER.DAT

– SAM

– SYSTEM

– SOFTWARE

– SECURITY

• Addresses either typed or copied into the Browser address bar

• Tracks up to the last 25 entered

• Last one entered is on top

NTUSER.DAT – Typed URLs

MRUs – Recent Docs

• Stored by extension• Stores last 10 of each extension type (0-9)• Creates new extension subkey if new file type

MRUs – ComDlg32

• Windows 7 Displays 5 subkey sets• CIDSizeMRU

• FirstFolder

• LastVisitedPidlMRU

• LastVisitedPidlMRULegacy

• OpenSavePidlMRU

ComDlg32 – CIDSizeMRU

• This subkey track applications globally

• 592 byte values

• Little data beyond the application name/extension

ComDlg32 – FirstFolder

• Tracks the general install location of applications

• In some instances, will point to a user location

ComDlg32 – LastVisitedPidlMRU

Registry Viewer.exe: J:\ _WIN7 3 Day\test regback

LastVisitedPidlMRULegacy

• Windows

Legacy tracks 32 bit application data

MRUs – ComDlg32

• Stored by extension

• Stores last 20 (0-19)

• Creates new extension subkey if new file type

Note: The MRU list is stored in hex while the value

name is in decimal

ComDlg32 – OpenSavePidlMRU

It makes a difference to these values as to where the

document wasExternal Drives show drive

letter at offset 23

ComDlg32 – OpenSavePidlMRU

User created locations are also

displayed at offset 23

However known paths to Windows

are not displayed

This file was stored at My Documents

ComDlg32 – OpenSavePidlMRU

This was a document on the “Desktop”

It archives the path statement from there

without identifying the Desktop origins

This was in “My Documents” and the 12,560 byte value identifies

the full path at the end

Pointer to an Item Identifier List

• PIDL – Pointer to an Item Identifier List

• MS has virtual or “shell” folders

• My Computer

• My Documents

• Stored with a series of values (Item IDs - each object) rather than a path as they don’t exist in the file system

Shell Folders

User Created Folders

PIDL

MRUs – RunMRUs

• Stored commands from the Run box• Stores last 10 (a-j)

MRUs – MS Office 2007 / 2010

• File MRU in Office 2007 records 50 of the last accessed docs

• Functional in Excel, PowerPoint, and Word (2010 included Access)

• Office 2007 has a date / time identifier in the MRU

• 64-bit Windows date / time stamp identifying:

• Excel – Last opened by user

• PowerPoint – Last saved by user

• Word – Last opened by user

MRUs - MS Office 2007 / 2010

Note: This date stamp is stored in Unicode and in a Big Endian format. Registry Viewer currently does

not have a converter that can read the values.

Copy and decode the format to view the date / time of save

MRUs – MS Office 2007 / 2010

Windows 7 – Start > Searches

Windows 7 – Start > Searches

• Set the folders to index at:• Control Panel > Indexing Options

• Registry WorkingSetRules displays both default and user created index locations

TypedPaths – Windows Explorer

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

• Different GUIDs from previous versions– CEBFF5CD-ACE2-4F4F-9178-9926F41749EA– F4E57C4B-2036-45F0-A9AB-443BCFE33D9F

• GUIDs also used to identify paths

• Offsets have changed– Number of application launches– Last date/time launched

• Session ID has been removed

• The count value now starts at “1” instead of “5”

Windows 7 – UserAssist

Different GUIDs for the Count Subkeys

ROT13 Encryption

Date and Time of Last Launch – Offsets 60-67

Number of Launches – Offsets 4-7

Windows 7 – UserAssist

Protected Storage

• Storage1 – Queries and Form data• Storage2 – Stored Logon Passwords

Protected Storage

• Encrypted using the Windows DPAPI• Cryptographic system uses:

– User’s logon password– Protect folder– URL or query header

Data Protection Application Programming Interface

Cracking Protected Storage DPAPI

• Export from Image:• NTUSER.DAT of suspect (stored encrypted data)

• SAM and SYSTEM Files (for logon password)

• Low History index.dat file (for website passwords)

• User’s Protect folder (DPAPI encryption keys)

• Attack user’s logon password • Dropping the SAM file into PRTK

• Point PRTK to the SYSTEM file

• Create an empty text file to parse results to

Protect Folder

Logon Password

index.dat History

Results - Text File

NTUSER.DAT Protected Storage Attack - PRTK

Cracking Protected Storage DPAPI

UsrClass.dat - MuiCache

MuiCache

Windows 7

Windows XP

D&T Synch via Internet – File Sys

D&T Synch via Internet - Registry

Type = NTP (enabled)Type = NoSync (disabled)

SYSTEM\ControlSet###\services\W32Time\Parameters / Type

Transition to 64-bit Windows

• Requires 32-bit backwards compatibility• Requires a few tricks to run 32-bit apps

• File System 32-bit utilities are here:• Windows\SysWOW64• System32 contains 64-bit utilities

• Registry 32-bit keysets are here:• Wow6432Node located in these files:

• NTUSER.DAT• SOFTWARE

SAM – Multiple Profile Issues

0x 000003F6 = 1014 decimal

• Resolution of SID to User• User Profiles/Names

Password Hint

User Tile (user icon)

SAM File Information

RID – Offset 48-49Last Logon Time – Offsets 8-15Logon Count – Offset 66-67

F Value

SAM File – F Value Properties

User NameUser Full NameDescription

V Value

SAM File – V Value Properties

• Administrative tool used to rights to a collection of users

• Custom Groups are located at:– SAM\SAM\Domains\Account\Aliases

Useful in corporate investigations to see if a person had specific rights to accomplish a task

Or used to determine missing RIDs

SAM File – Groups

1F41F53E83E93EA3EB3EC3ED

500501

100010011002100310041005

• Computer Name• Mounted Devices• Time Zone Information• Last Accessed Date / Time

SYSTEM File

ComputerName Subkey

Change of Computer Name

Upon reboot, both values will change

ActiveComputerName

• Tracking HDDs in the image

SYSTEM File – MountedDevices

The current partition on the physical F DriveThe persistent value remains even if the F Drive is overwritten

SYSTEM File - MountedDevices

Drive ID listed in Mounted Devices is stored

in the MBR at

offset 440

0 = Automatic Adjustment for Daylight Time is Turned ON

1 = Automatic Adjustment for Daylight Time is Turned OFF

SYSTEM File – Time Zone Info

SYSTEM Registry

File

SYSTEM File – Last Access Date

1 = Updating Disabled - Default

0 = Updating Enabled – Changed by User

Last Access Date/Time

• Registered Owner• Operating System Type• Operating System Installation Date/Time

SOFTWARE File

• Last logged on user

Microsoft\Windows\CurrentVersion\Authentication\LogonUI

Computer Name User Name

Records the last written time as the system powers down

Last Logged On User

Wireless in Windows 7

\Microsoft\Windows NT\ CurrentVersion\

NetworkList\Profiles\<guid>

SSID – Service Set Identifier

Category0 = Public1 = Home2 = Work

Managed0=Unmanaged1 = Managed

Date and Time Translation

D7 07 06 00 04 00 0E 00 10 00 1B 00 2A 00 AB 00

Year Month Day of Month

Hour Minutes SecondsDay of

Week

2007

June Thu 14th 16 27 42: :

NOTE: The time is displayed in local time to the machine0=Sunday, 1=Monday, 2=Tuesday, etc.

Managed versus Unmanaged

ProfileName

Managed: Remote Server

Unmanaged: Wireless Router

MAC Address of remote system’s gateway

MAC Address

Media Access Control (MAC Address)

Date and Time Translation

The next series of slides will track this Verizon device through the

Wireless keys

Before we start, let’s look at the dates and times of the Profiles

subkey for comparative purposes

Date and Time Translation

DateCreated:

DateLastConnected:

10/21/2010 09:02:48

01/19/2011 21:34:37

NOTE: This stored date and time is based on local machine

time, not UTC

Wireless Registration

The Wireless subkey name is an ID number for the wireless connection

Because this key is written during the original connection only, it retains the date and time of first connection

Unmanaged

The identifier can be traced from the Wireless subkey

to the Unmanaged subkey

Note the header before the identifier

Unmanaged

• The Unmanaged subkey provides:• Profile GUID• Description• FirstNetwork• DefaultGatewayMac

Again, because this subkey is generally written to only during creation, it stores the first

connection date and time

Profiles

The ProfileGuid in Unmanaged points to the devices information in the Profiles subkey

Since this key is subject to modification with each new connection, the last written time is indicative of the last connected time as well.

Wireless User

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\<guid>

Wireless User

At the bottom of the Wpad keys will be a

series of MAC addresses

This can be matched up to the

MAC addresses listed in the

Unmanaged keyset

During testing, times did not match exactly but were close for the first connect time

Once backtracked to the Unmanaged key, the ProfileGUID will allow checking the other user connections through this device

Recycle Bin

NTUSER.DAT File

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume

System File

• MaxCapacity – MB

• NukeOnDelete

• 0=On

• 1=Off

• Old password cache for domain storage

• Last logged on user password cache

SECURITY File

Password Recovery

Current Password

Policy\Secrets\DefaultPassword

Previous Password

• Registry Files of forensic importance– NTUSER.DAT

– SAM

– SYSTEM

– SOFTWARE

– SECURITY

Module Review