introduction accessdata ® forensics forensic analysisincident responseediscoveryinformation...
TRANSCRIPT
Introduction
ACCESSDATA® FORENSICS
Forensic Analysis Incident Response eDiscovery Information Assurance
Windows 7 Registry Artifacts
Module Objectives
• Registry files of forensic importance– NTUSER.DAT
– SAM
– SYSTEM
– SOFTWARE
– SECURITY
• Addresses either typed or copied into the Browser address bar
• Tracks up to the last 25 entered
• Last one entered is on top
NTUSER.DAT – Typed URLs
MRUs – Recent Docs
• Stored by extension• Stores last 10 of each extension type (0-9)• Creates new extension subkey if new file type
MRUs – ComDlg32
• Windows 7 Displays 5 subkey sets• CIDSizeMRU
• FirstFolder
• LastVisitedPidlMRU
• LastVisitedPidlMRULegacy
• OpenSavePidlMRU
ComDlg32 – CIDSizeMRU
• This subkey track applications globally
• 592 byte values
• Little data beyond the application name/extension
ComDlg32 – FirstFolder
• Tracks the general install location of applications
• In some instances, will point to a user location
ComDlg32 – LastVisitedPidlMRU
Registry Viewer.exe: J:\ _WIN7 3 Day\test regback
LastVisitedPidlMRULegacy
• Windows
Legacy tracks 32 bit application data
MRUs – ComDlg32
• Stored by extension
• Stores last 20 (0-19)
• Creates new extension subkey if new file type
Note: The MRU list is stored in hex while the value
name is in decimal
ComDlg32 – OpenSavePidlMRU
It makes a difference to these values as to where the
document wasExternal Drives show drive
letter at offset 23
ComDlg32 – OpenSavePidlMRU
User created locations are also
displayed at offset 23
However known paths to Windows
are not displayed
This file was stored at My Documents
ComDlg32 – OpenSavePidlMRU
This was a document on the “Desktop”
It archives the path statement from there
without identifying the Desktop origins
This was in “My Documents” and the 12,560 byte value identifies
the full path at the end
Pointer to an Item Identifier List
• PIDL – Pointer to an Item Identifier List
• MS has virtual or “shell” folders
• My Computer
• My Documents
• Stored with a series of values (Item IDs - each object) rather than a path as they don’t exist in the file system
Shell Folders
User Created Folders
PIDL
MRUs – RunMRUs
• Stored commands from the Run box• Stores last 10 (a-j)
MRUs – MS Office 2007 / 2010
• File MRU in Office 2007 records 50 of the last accessed docs
• Functional in Excel, PowerPoint, and Word (2010 included Access)
• Office 2007 has a date / time identifier in the MRU
• 64-bit Windows date / time stamp identifying:
• Excel – Last opened by user
• PowerPoint – Last saved by user
• Word – Last opened by user
MRUs - MS Office 2007 / 2010
Note: This date stamp is stored in Unicode and in a Big Endian format. Registry Viewer currently does
not have a converter that can read the values.
Copy and decode the format to view the date / time of save
MRUs – MS Office 2007 / 2010
Windows 7 – Start > Searches
Windows 7 – Start > Searches
• Set the folders to index at:• Control Panel > Indexing Options
• Registry WorkingSetRules displays both default and user created index locations
TypedPaths – Windows Explorer
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
• Different GUIDs from previous versions– CEBFF5CD-ACE2-4F4F-9178-9926F41749EA– F4E57C4B-2036-45F0-A9AB-443BCFE33D9F
• GUIDs also used to identify paths
• Offsets have changed– Number of application launches– Last date/time launched
• Session ID has been removed
• The count value now starts at “1” instead of “5”
Windows 7 – UserAssist
Different GUIDs for the Count Subkeys
ROT13 Encryption
Date and Time of Last Launch – Offsets 60-67
Number of Launches – Offsets 4-7
Windows 7 – UserAssist
Protected Storage
• Storage1 – Queries and Form data• Storage2 – Stored Logon Passwords
Protected Storage
• Encrypted using the Windows DPAPI• Cryptographic system uses:
– User’s logon password– Protect folder– URL or query header
Data Protection Application Programming Interface
Cracking Protected Storage DPAPI
• Export from Image:• NTUSER.DAT of suspect (stored encrypted data)
• SAM and SYSTEM Files (for logon password)
• Low History index.dat file (for website passwords)
• User’s Protect folder (DPAPI encryption keys)
• Attack user’s logon password • Dropping the SAM file into PRTK
• Point PRTK to the SYSTEM file
• Create an empty text file to parse results to
Protect Folder
Logon Password
index.dat History
Results - Text File
NTUSER.DAT Protected Storage Attack - PRTK
Cracking Protected Storage DPAPI
UsrClass.dat - MuiCache
MuiCache
Windows 7
Windows XP
D&T Synch via Internet – File Sys
D&T Synch via Internet - Registry
Type = NTP (enabled)Type = NoSync (disabled)
SYSTEM\ControlSet###\services\W32Time\Parameters / Type
Transition to 64-bit Windows
• Requires 32-bit backwards compatibility• Requires a few tricks to run 32-bit apps
• File System 32-bit utilities are here:• Windows\SysWOW64• System32 contains 64-bit utilities
• Registry 32-bit keysets are here:• Wow6432Node located in these files:
• NTUSER.DAT• SOFTWARE
SAM – Multiple Profile Issues
0x 000003F6 = 1014 decimal
• Resolution of SID to User• User Profiles/Names
Password Hint
User Tile (user icon)
SAM File Information
RID – Offset 48-49Last Logon Time – Offsets 8-15Logon Count – Offset 66-67
F Value
SAM File – F Value Properties
User NameUser Full NameDescription
V Value
SAM File – V Value Properties
• Administrative tool used to rights to a collection of users
• Custom Groups are located at:– SAM\SAM\Domains\Account\Aliases
Useful in corporate investigations to see if a person had specific rights to accomplish a task
Or used to determine missing RIDs
SAM File – Groups
1F41F53E83E93EA3EB3EC3ED
500501
100010011002100310041005
• Computer Name• Mounted Devices• Time Zone Information• Last Accessed Date / Time
SYSTEM File
ComputerName Subkey
Change of Computer Name
Upon reboot, both values will change
ActiveComputerName
• Tracking HDDs in the image
SYSTEM File – MountedDevices
The current partition on the physical F DriveThe persistent value remains even if the F Drive is overwritten
SYSTEM File - MountedDevices
Drive ID listed in Mounted Devices is stored
in the MBR at
offset 440
0 = Automatic Adjustment for Daylight Time is Turned ON
1 = Automatic Adjustment for Daylight Time is Turned OFF
SYSTEM File – Time Zone Info
SYSTEM Registry
File
SYSTEM File – Last Access Date
1 = Updating Disabled - Default
0 = Updating Enabled – Changed by User
Last Access Date/Time
• Registered Owner• Operating System Type• Operating System Installation Date/Time
SOFTWARE File
• Last logged on user
Microsoft\Windows\CurrentVersion\Authentication\LogonUI
Computer Name User Name
Records the last written time as the system powers down
Last Logged On User
Wireless in Windows 7
\Microsoft\Windows NT\ CurrentVersion\
NetworkList\Profiles\<guid>
SSID – Service Set Identifier
Category0 = Public1 = Home2 = Work
Managed0=Unmanaged1 = Managed
Date and Time Translation
D7 07 06 00 04 00 0E 00 10 00 1B 00 2A 00 AB 00
Year Month Day of Month
Hour Minutes SecondsDay of
Week
2007
June Thu 14th 16 27 42: :
NOTE: The time is displayed in local time to the machine0=Sunday, 1=Monday, 2=Tuesday, etc.
Managed versus Unmanaged
ProfileName
Managed: Remote Server
Unmanaged: Wireless Router
MAC Address of remote system’s gateway
MAC Address
Media Access Control (MAC Address)
Date and Time Translation
The next series of slides will track this Verizon device through the
Wireless keys
Before we start, let’s look at the dates and times of the Profiles
subkey for comparative purposes
Date and Time Translation
DateCreated:
DateLastConnected:
10/21/2010 09:02:48
01/19/2011 21:34:37
NOTE: This stored date and time is based on local machine
time, not UTC
Wireless Registration
The Wireless subkey name is an ID number for the wireless connection
Because this key is written during the original connection only, it retains the date and time of first connection
Unmanaged
The identifier can be traced from the Wireless subkey
to the Unmanaged subkey
Note the header before the identifier
Unmanaged
• The Unmanaged subkey provides:• Profile GUID• Description• FirstNetwork• DefaultGatewayMac
Again, because this subkey is generally written to only during creation, it stores the first
connection date and time
Profiles
The ProfileGuid in Unmanaged points to the devices information in the Profiles subkey
Since this key is subject to modification with each new connection, the last written time is indicative of the last connected time as well.
Wireless User
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\<guid>
Wireless User
At the bottom of the Wpad keys will be a
series of MAC addresses
This can be matched up to the
MAC addresses listed in the
Unmanaged keyset
During testing, times did not match exactly but were close for the first connect time
Once backtracked to the Unmanaged key, the ProfileGUID will allow checking the other user connections through this device
Recycle Bin
NTUSER.DAT File
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume
System File
• MaxCapacity – MB
• NukeOnDelete
• 0=On
• 1=Off
• Old password cache for domain storage
• Last logged on user password cache
SECURITY File
Password Recovery
Current Password
Policy\Secrets\DefaultPassword
Previous Password
• Registry Files of forensic importance– NTUSER.DAT
– SAM
– SYSTEM
– SOFTWARE
– SECURITY
Module Review