registry artifacts
play

Registry Artifacts Villanova University Department of Computing - PowerPoint PPT Presentation

Apr 03, 2023 •310 likes •979 views

Registry Artifacts Villanova University Department of Computing Sciences D. Justin Price Spring 2014 REGISTRY The registry is a central hierarchal database intended to store information that is necessary to configure the

  1. Registry Artifacts Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

  2. REGISTRY • The registry is a “central hierarchal database” intended to store information that is necessary to configure the system for one or more users, applications, and hardware devices.[1] • Goldmine for digital forensics. • Registry Breakdown • Hives (binary database files) • Keys & Subkeys (analogous to a folders) • Values (analogous to a file) • Type (strings, binary or DWORD) • Data Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014 [1] http://support.microsoft.com/kb/256986

  3. REGISTRY HIVES • SAM – Local user accounts & groups • Security – Security information used by the operating system to include password policies, group memberships, etc. • System – Hardware and service configurations • Software – Application settings • NTUSER.dat – User settings, configuration and environment settings • UsrClass.dat – More widely used in Vista/7/8 – Shellbag Information Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  4. REGISTRY HIVES • System Registry Hives � XP/Vista/7/8 C:\Windows\System32\config\SAM � XP/Vista/7/8 C:\Windows\System32\config\SECURITY � XP/Vista/7/8 C:\Windows\System32\config\SYSTEM � XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE � • User Specific Registry Hives � XP C:\Documents and Settings\<USERNAME>\NTUSER.dat � Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat � Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat � • Backup System Registry Hives Vista/7/8 C:\Windows\System32\config\RegBack Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  5. REGISTRY VALUE TYPES REG_NONE No Value REG_SZ Unicode or ASCII String REG_BINARY Binary Data REG_DWORD 32-bit Number REG_LINK Unicode Symbolic Link REG_QWORD 64-bit Number Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  6. VIEWING REGISTRY HIVES • Live System Analysis - regedit.exe Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  7. VIEWING REGISTRY HIVES • Offline Analysis - AccessData Registry Viewer • http://marketing.accessdata.com/acton/attachment/4390/u-011c/0/-/-/-/-/ Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  8. VIEWING REGISTRY HIVES • Offline Analysis - MiTeC Windows Registry Recovery (WRR) • http://www.mitec.cz/wrr.html Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  9. EXTRACTING REGISTRY HIVES Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  10. EXTRACTING REGISTRY HIVES Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  11. LAST WRITE TIME • Last Write Time is recorded for each key in every hive. • Time is stored in UTC. • Time stamp reflects when a value has been added or updated. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  12. SECURITY ACCOUNTS MANAGER (SAM) • Security Identifier (SID) • Recycle Bin entries, file ownership and other artifacts refer to a SID and not a username. • Microsoft Documented SID Accounts • Administrator = 500 • Guest = 501 • User Account = start at 1000 • Password fields can be misleading • Password Required = password policies applied to user accounts do not apply to this account • We will work with a much better tool to determine if a password was set for this account in the Encryption/ Password lecture! Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  13. SAM Hive Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  14. SAM Hive Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  15. SAM Hive Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  16. PROFILE LIST • Details all profiles that have used the system to include local and domain users. • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  17. PROFILE LIST • Details all profiles that have used the system to include local and domain users. • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  18. SYSTEM HIVE • Current Control Set • SYSTEM\Select\Current • Answers the following questions: • Which configuration files should be loaded? • If an error is detected, which configuration files should be tried next? • Which configuration files reported errors? Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  19. SYSTEM HIVE • Computer Name: – SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName � � • Time Zone: – SYSTEM\CurrentControlSet\Control\TimeZoneInformation � � � � • Last Access Timestamp: – SYSTEM\CurrentControlSet\Control\FileSystem Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  20. SYSTEM HIVE • Network Interfaces: – SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  21. SYSTEM HIVE • User Shares Enable: – SYSTEM\CurrentControlSet\Services\lanmanserver\Shares � � � • System Shutdown Timestamps and Counters (XP): – SYSTEM\CurrentControlSet\Control\Windows – SYSTEM\CurrentControlSet\Control\Watchdog\Display Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  22. SOFTWARE HIVE • Operating System Version: – SOFTWARE\Microsoft\Windows NT\CurrentVersion Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  23. SOFTWARE HIVE • Historical Networks (Vista/7/8): – Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures \Managed – DnsSuffix = Domain – FirstNetwork = SSID – DefaultGatewayMac = Media Access Control (MAC) Address of Gateway – Last Written Time = Last time the computer connected to this network. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  24. SOFTWARE HIVE • Historical Networks (Vista/7/8): – Not Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Signatures\Unmanaged Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  25. SOFTWARE HIVE • Network Type: – SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} (XP) – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Profiles (Vista/7/8) » NameType 0x47 = Wireless » NameType 0x06 = Wired » NameType 0x17 = Broadband » Date fields are recorded as 128-bit System date …. use Dcode to convert. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  26. AUTO-START PROGRAMS • Various Registry Locations: – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\Run – SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run – SYSTEM\CurrentControlSet\Services • (0x02 = start) Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  27. NTUSER.DAT HIVE • Windows XP Search History – NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru • Windows 7 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \WordWheelQuery � � � � � � � • Windows 8 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \SearchHistory Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  28. NTUSER.DAT HIVE • Internet Explorer Typed URLs – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \TypedPaths Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  29. NTUSER.DAT HIVE • Recently Accessed Files – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \RecentDocs – MRUList shows the order in which the files were accessed. – The most recent file opened will be first. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Roadmap for Section 12.2. Registry Fundamentals Registry Structure Registry Limits Monitoring

Roadmap for Section 12.2. Registry Fundamentals Registry Structure Registry Limits Monitoring

Unit OS12: Scripting 12.2. The Registry Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 12.2. Registry Fundamentals Registry Structure Registry Limits Monitoring Registry

397 views • 19 slides
What is a Honeymoon Registry A Honeymoon Registry is a wedding gift registry experience for

What is a Honeymoon Registry A Honeymoon Registry is a wedding gift registry experience for

What is a Honeymoon Registry A Honeymoon Registry is a wedding gift registry experience for honeymoons and destination weddings. Our online Honeymoon Registry allows brides and grooms to list anything they want to do on their

547 views • 19 slides
Registry Principles GMTA March 15, 2017 Key Elements of Registry Principles Definition

Registry Principles GMTA March 15, 2017 Key Elements of Registry Principles Definition

Registry Principles GMTA March 15, 2017 Key Elements of Registry Principles Definition Objectives for a registry Threshold questions Data Governance Committee Well-balanced registry design Registry data use

415 views • 9 slides
Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the evidence and artifacts of earlier times help us to reconstruct the past? 2.) What are the consequences of technology? Can you guess the purpose of

587 views • 17 slides
An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts LISA '09, November 5, 2009 David Plonka &amp; Andres Jaan Tack {plonka,tack}@cs.wisc.edu Motivation and Goals Like software quality, network

406 views • 36 slides
TLD Registry Data an unstructured wander through the zoo Joe Abley Public Interest Registry

TLD Registry Data an unstructured wander through the zoo Joe Abley Public Interest Registry

TLD Registry Data an unstructured wander through the zoo Joe Abley Public Interest Registry AIMS-CAIDA Workshop San Diego, February 2020 What is a TLD Registry DNS Answer We publish the ORG zone in the DNS Highly

550 views • 18 slides
SYSTEM WHAT IS A REGISTRY? A registry is an organized system for the timely collection , storage ,

SYSTEM WHAT IS A REGISTRY? A registry is an organized system for the timely collection , storage ,

THE TEXAS TB REGISTRY SYSTEM WHAT IS A REGISTRY? A registry is an organized system for the timely collection , storage , retrieval , analysis , and dissemination of information on individual persons who have a particular disease, or a risk factor

811 views • 34 slides
http://registry.sf.net http://registry.sf.net Before We Start . . . FORGET ABOUT THE NAME

http://registry.sf.net http://registry.sf.net Before We Start . . . FORGET ABOUT THE NAME

Linux Registry Turning Linux into a Trully Integrated Operating Environment Avi Alkalay &lt;avi@unix.sh&gt; Avi Alkalay &lt;avi@unix.sh&gt; Linux, Open Standards Consultant http://registry.sf.net http://registry.sf.net Before We Start . . .

640 views • 34 slides
DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2 Artifacts Per Year Starting in 3rd Grade 5th: 6 Artifacts 8th: +6 Artifacts (Including ICP) 11th: +8 Artifacts The 4 Career 1. Career Awareness

366 views • 17 slides
Registry for Performance Metrics draft-ietf-ippm-metric-registry-05 M. Bagnulo, B. Claise, P.

Registry for Performance Metrics draft-ietf-ippm-metric-registry-05 M. Bagnulo, B. Claise, P.

Registry for Performance Metrics draft-ietf-ippm-metric-registry-05 M. Bagnulo, B. Claise, P. Eardley, A. Morton, A. Akhter Registry Draft Updates 2 Goals and a recommendation: IANA creates and maintains according to process Define

367 views • 19 slides
The Artory Registry Blockchain for the Art World The Registry is the industrys first

The Artory Registry Blockchain for the Art World The Registry is the industrys first

The Artory Registry Blockchain for the Art World The Registry is the industrys first object-oriented, public database. Leveraging Ethereum blockchain, it tracks provenance and title, and distinguishes trusted from non- trusted data for the

567 views • 7 slides
and prospective registry study data in the EBMT registry Per Ljungman, MD, PhD For the

and prospective registry study data in the EBMT registry Per Ljungman, MD, PhD For the

The challenge of COVID-19 for HSCT; EBMT recommendations and prospective registry study data in the EBMT registry Per Ljungman, MD, PhD For the Infectious Diseases Working Party Disclosures None on this topic 2 What have been the EBMT

380 views • 23 slides
Medical Marijuana Registry August 15, 2018 Document 8 Presentation 2 of 17 Overview

Medical Marijuana Registry August 15, 2018 Document 8 Presentation 2 of 17 Overview

Document 8 Presentation 1 of 17 Medical Marijuana Registry August 15, 2018 Document 8 Presentation 2 of 17 Overview Marij uana in Colorado Registry s Role Functions of the Registry Foundation of the Registry

515 views • 17 slides
The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand

The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand

The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand Media What this debate is about: To simplify terminology lets call registries producers and registrars retail stores Were debating

357 views • 18 slides
National Breast Implant Registry Andrea Pusic, MD Co-Chair, National Breast Implant Registry

National Breast Implant Registry Andrea Pusic, MD Co-Chair, National Breast Implant Registry

National Breast Implant Registry Andrea Pusic, MD Co-Chair, National Breast Implant Registry Steering Committee MDEpiNet Annual Meeting October 2017 Single Sign Up Portal What is the National Breast Implant Registry? The Plastic Surgery

500 views • 11 slides
Registry What is there to be worried about? Stephen Deerhake AS Domain Registry ccNSO Members

Registry What is there to be worried about? Stephen Deerhake AS Domain Registry ccNSO Members

GDPR and .AS Domain Registry What is there to be worried about? Stephen Deerhake AS Domain Registry ccNSO Members meeting Who we are US Territory (Like Puerto Rico!) Located at 14d 1954 S / 170d 4241W 16,111 km from

250 views • 8 slides
PWRBA Meeting January 12, 2016 Ben Gimeno ben.gimeno@hotmail.com (703) 881-8911 (mobile, text,

PWRBA Meeting January 12, 2016 Ben Gimeno ben.gimeno@hotmail.com (703) 881-8911 (mobile, text,

PWRBA Meeting January 12, 2016 Ben Gimeno ben.gimeno@hotmail.com (703) 881-8911 (mobile, text, etc.) January 12 Agenda Ask-a-Beekeeper 6:30 7:00 Business Meeting and 7:00 7:30 Elections Break 7:30 7:40 Speaker 7:40

436 views • 14 slides
0 . Looking Ahead to the 2016-2017 Flu Season: Vaccine Options and Messages Webinar Objectives

0 . Looking Ahead to the 2016-2017 Flu Season: Vaccine Options and Messages Webinar Objectives

The Virtual Immunization Communication (VIC) Network is a project of the National Public Health Information Coalition (NPHIC) and the California Immunization Coalition, funded through a cooperative agreement with the Centers for Disease Control

997 views • 61 slides
Case Case Management of Management of Common Bites and Common Bites and 29 yo man was

Case Case Management of Management of Common Bites and Common Bites and 29 yo man was

Case Case Management of Management of Common Bites and Common Bites and 29 yo man was stung by a bee while working out in the yard. Now c/o skin Stings Stings itching, diffuse hives, swelling of arms and legs, tightness in throat,

507 views • 23 slides
hyvr Have Your Vision Realised! hyvr.co.uk Jo Bangoura, West of England AHSN @JoBangoura

hyvr Have Your Vision Realised! hyvr.co.uk Jo Bangoura, West of England AHSN @JoBangoura

hyvr Have Your Vision Realised! hyvr.co.uk Jo Bangoura, West of England AHSN @JoBangoura jo.bangoura@weahsn.net How do innovations happen? Design Together Live Better (2015-16) Seat belt Design Together Live Better Portable Bidet

426 views • 23 slides
Dermestid Beetle C ontrol Do not accumulate woolens or articles made of animal by-products

Dermestid Beetle C ontrol Do not accumulate woolens or articles made of animal by-products

Dermestid Beetle C ontrol Do not accumulate woolens or articles made of animal by-products unless they are extremely important to you. Do not keep or store woolens that are not used regularly. During non-use seasons, store woolen

1.01k views • 58 slides
NDDA/ CDFA PRE-I NSPECTI ON PROGRAM A DA M PA C H L A S S I S TA N T S TAT E A P I A RY I N

NDDA/ CDFA PRE-I NSPECTI ON PROGRAM A DA M PA C H L A S S I S TA N T S TAT E A P I A RY I N

NDDA/ CDFA PRE-I NSPECTI ON PROGRAM A DA M PA C H L A S S I S TA N T S TAT E A P I A RY I N S P E C TO R CALIFORNIA PRE-INSPECTION Background Every vehicle entering CA gets inspected Looking for invasive insects and noxious

409 views • 14 slides
Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of Digital Evidence: Admissible evidence must be related to the fact being proved Authentic evidence must be real and related to the

1.13k views • 68 slides
Physical Memory Forensics for Files and Cache Jamie Butler and Justin Murdock BIOGRAPHY

Physical Memory Forensics for Files and Cache Jamie Butler and Justin Murdock BIOGRAPHY

Physical Memory Forensics for Files and Cache Jamie Butler and Justin Murdock BIOGRAPHY Jamie Butler Director of Research and Development at MANDIANT Focused on Host Analysis and Operating Systems Research Justin Murdock

502 views • 26 slides

More recommend