Mastering Windows Network Forensics and Investigation

Chapter 8: The Registry Structure

April 18, 2023© Wiley Inc. 2007. All Rights Reserved 2

Chapter Topics:

• Registry History

• Registry Structure & Terms

• Registry Research

• Viewing Registry with Forensic Tools

Registry History

• Massive database of system and program configuration settings

• Legacy Windows (Windows 3.0) had config.sys, autoexe.bat, and several “ini” files

• Text files lacked hierarchical structure and couldn’t easily store binary data

April 18, 2023

Registry History

• Windows 3.1 had first rudiments of registry

• Windows 95 / NT expanded it more along the lines of what we see today.

• Each subsequent release has resulted in increase in size and complexity of registry

April 18, 2023

Registry Structure & Terminology

• At physical level, registry stored in hive files

• User rarely interfaces directly with registry

• Regedit is current interface tool (regedt32 legacy) – no known shortcut - Run > regedit

April 18, 2023

Regedit Interface

April 18, 2023

Key Pane Value Pane

Five Root Keys

April 18, 2023

HKEY_CLASSES_ROOT

• Used to associate file types with programs that open them and also used to register classes for Component Object Model (COM) objects. It is the largest of the root keys in terms of the registry space it occupies. This key is derived from a linked merger of two keys, which are HKLM\Software\Classes and HKCU\Software\Classes. This merger effectively blends default settings with per user settings.

April 18, 2023

HKEY_CURRENT_USER

• Used to configure the environment for the console user. It is a per-user setting (specific only to this user) and is a derived from a link to HKU\SID, where the SID is the user’s security identifier.

April 18, 2023

HKEY_CURRENT_CONFIG

• Used to establish the current hardware configuration profile. This key is derived from a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current. Current is derived from a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\####, where #### is a number that increments starting at “0000”. HKLM\SYSTEM\CurrentControlSet, in turn, is a link to HKLM\SYSTEM\ControlSet###, where ### is a number that increments starting at 000. The value located in HKLM\SYSTEM\Select\Current determines which control set is current and therefore which ControlSet is to be used to create this key via a link.

April 18, 2023

HKEY_LOCAL_MACHINE

• Used to establish the per-computer settings. Settings found in this key apply to the machine and all of its users, covering all facets of the computer’s function. This key is a master key and is not, therefore, derived from any link as are the previous three keys. During system startup, the local machine settings are loaded before the user specific settings.

April 18, 2023

HKEY_USERS

• Used to contain the user environment settings for the console user as well as other users who have logged onto the system. There will be at least three subkeys, which are “.DEFAULT,” “SID,” and “SID_Classes,” where the “SID” is that of the console user. You may also find SID’s “S-1-5-18,” “S-1-5-19,” and “S-1-5-20,” which are for the “LocalSystem,” “LocalService,” and “NetworkService” accounts, respectively. Any other SID’s found here will below to other users who have logged on to the machine. This key is a master key and is not, therefore, derived from any link as are the first three keys (the ones that are unbolded).

April 18, 2023

Derived vs Master

• Only HKEY_LOCAL_MACHINE (HKLM) & HKEY_USERS (HKU) are Master Keys

• The remaining root keys are derived from other keys

• At a physical level, each of the logical master keys has its source data in files called hives

April 18, 2023

HKLM Subkeys

April 18, 2023

Hardware is dynamic and exist only on a live machine!

HKLM Keys > Hive Files

April 18, 2023

HIVE KEY HIVE FILE

HKLM\SAM %SYSTEMROOT%\System32\config\SAM

HKLM\SECURITY %SYSTEMROOT%\System32\config\SECURITY

HKLM\SOFTWARE %SYSTEMROOT%\System32\config\software

HKLM\SYSTEM %SYSTEMROOT%\System32\config\system

The Evidence Vault

April 18, 2023

HKU Keys > Hive Files

April 18, 2023

HIVE KEY HIVE FILE

HKU\.DEFAULT %SYSTEMROOT%\System32\config\default

HKU\S-1-5-19 Documents and Settings\LocalService ntuser.dat

HKU\S-1-5-19_Classes Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

HKU\S-1-5-20 Documents and Settings\NetworkService ntuser.dat

HKU\S-1-5-20_Classes Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

HKU\SID Documents and Settings\UserName\ntuser.dat

HKU\SID_Classes Documents and Settings\UserName\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

HKLM\SYSTEM\CurrentControlSet\Control\hivelist

April 18, 2023

Determining Current Control Set

April 18, 2023

Registry Value Data Types

April 18, 2023

DATA TYPE NUMBER

DESCRIPTION

REG_NONE 0 Data type is not defined

REG_SZ 1 Fixed length text string expressed in user-friendly format, which is often used to describe components

REG_EXPAND_SZ 2 Variable or expandable length data string

REG_BINARY 3 Binary data that is displayed in editor as hex

REG_DWORD 4 32-bit double word values and the most common data type found in the registry

REG_DWORD_LITTLE_ENDIAN 4 32-bit double word values with bytes in reverse order. As Intel already store data in this format, this term is synonymous with REG_DWORD and they have the same numeric value

REG_DWORD_BIG_ENDIAN 5 32-bit double word value with bytes in normal order with the highest bit appearing first

REG_LINK 6 An internal-use only data type for Unicode symbolic link

REG_MULTI_SZ 7 Multiple string field in which each string is separated by a null (00h) and with two nulls (00 00) marking the end of the list of strings

REG_RESOURCE_LIST 8 Listing of resource lists for devices or device drivers (REG_FULL_RESOURCE_DESCRIPTOR). You can view, but not edit these lists.

Search in Regedit

April 18, 2023

Registry Analysis Tools

• Regmon (Microsoft)

• User Assist Analyzer (http://didierstevens.wordpress.com/)

• Access Data’s Registry Viewer

• Access Data’s Imager

• EnCase (View File Structure)

April 18, 2023

Viewing Registry with Forensic Tools

• Forensic Tools– Access Data – Registry Viewer– EnCase – View File Structure– ProDiscover– Others

• Off-line registry differs from live registry

• Mount / Open Hive Files• Don’t expect to see derived or

dynamic keys

April 18, 2023© Wiley Inc. 2007. All Rights Reserved 23