Registry Artifacts Villanova University Department of Computing - - PowerPoint PPT Presentation

registry artifacts
SMART_READER_LITE
LIVE PREVIEW

Registry Artifacts Villanova University Department of Computing - - PowerPoint PPT Presentation

Apr 03, 2023 310 likes •984 views

Registry Artifacts Villanova University Department of Computing Sciences D. Justin Price Spring 2014 REGISTRY The registry is a central hierarchal database intended to store information that is necessary to configure the

slide-1
SLIDE 1

Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

Registry Artifacts

slide-2
SLIDE 2

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

REGISTRY

  • The registry is a “central hierarchal database” intended to store

information that is necessary to configure the system for one or more users, applications, and hardware devices.[1]

  • Goldmine for digital forensics.
  • Registry Breakdown
  • Hives (binary database files)
  • Keys & Subkeys (analogous to a folders)
  • Values (analogous to a file)
  • Type (strings, binary or DWORD)
  • Data

[1] http://support.microsoft.com/kb/256986

slide-3
SLIDE 3

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

REGISTRY HIVES

  • SAM

– Local user accounts & groups

  • Security

– Security information used by the operating system to include password policies, group memberships, etc.

  • System

– Hardware and service configurations

  • Software

– Application settings

  • NTUSER.dat

– User settings, configuration and environment settings

  • UsrClass.dat

– More widely used in Vista/7/8

– Shellbag Information

slide-4
SLIDE 4

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

REGISTRY HIVES

  • System Registry Hives
  • User Specific Registry Hives
  • Backup System Registry Hives

XP/Vista/7/8 C:\Windows\System32\config\SAM XP/Vista/7/8 C:\Windows\System32\config\SECURITY XP/Vista/7/8 C:\Windows\System32\config\SYSTEM XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE XP C:\Documents and Settings\<USERNAME>\NTUSER.dat Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Vista/7/8 C:\Windows\System32\config\RegBack

slide-5
SLIDE 5

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

REGISTRY VALUE TYPES

REG_NONE No Value REG_SZ Unicode or ASCII String REG_BINARY Binary Data REG_DWORD 32-bit Number REG_LINK Unicode Symbolic Link REG_QWORD 64-bit Number

slide-6
SLIDE 6

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

VIEWING REGISTRY HIVES

  • Live System Analysis - regedit.exe
slide-7
SLIDE 7

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

VIEWING REGISTRY HIVES

  • Offline Analysis - AccessData Registry Viewer
  • http://marketing.accessdata.com/acton/attachment/4390/u-011c/0/-/-/-/-/
slide-8
SLIDE 8

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

VIEWING REGISTRY HIVES

  • Offline Analysis - MiTeC Windows Registry Recovery (WRR)
  • http://www.mitec.cz/wrr.html
slide-9
SLIDE 9

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

EXTRACTING REGISTRY HIVES

slide-10
SLIDE 10

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

EXTRACTING REGISTRY HIVES

slide-11
SLIDE 11

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

LAST WRITE TIME

  • Last Write Time is recorded for each key in every hive.
  • Time is stored in UTC.
  • Time stamp reflects when a value has been added or updated.
slide-12
SLIDE 12

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SECURITY ACCOUNTS MANAGER (SAM)

  • Security Identifier (SID)
  • Recycle Bin entries, file ownership and other artifacts refer to

a SID and not a username.

  • Microsoft Documented SID Accounts
  • Administrator = 500
  • Guest = 501
  • User Account = start at 1000
  • Password fields can be misleading
  • Password Required = password policies applied to user

accounts do not apply to this account

  • We will work with a much better tool to determine if a

password was set for this account in the Encryption/ Password lecture!

slide-13
SLIDE 13

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SAM Hive

slide-14
SLIDE 14

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SAM Hive

slide-15
SLIDE 15

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SAM Hive

slide-16
SLIDE 16

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

PROFILE LIST

  • Details all profiles that have used the system to include local and

domain users.

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
slide-17
SLIDE 17

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

PROFILE LIST

  • Details all profiles that have used the system to include local and

domain users.

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
slide-18
SLIDE 18

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Current Control Set
  • SYSTEM\Select\Current
  • Answers the following questions:
  • Which configuration files should be loaded?
  • If an error is detected, which configuration files should be tried next?
  • Which configuration files reported errors?

SYSTEM HIVE

slide-19
SLIDE 19

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Computer Name:

– SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

  • Time Zone:

– SYSTEM\CurrentControlSet\Control\TimeZoneInformation

  • Last Access Timestamp:

– SYSTEM\CurrentControlSet\Control\FileSystem

SYSTEM HIVE

slide-20
SLIDE 20

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Network Interfaces:

– SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

SYSTEM HIVE

slide-21
SLIDE 21

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • User Shares Enable:

– SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

  • System Shutdown Timestamps and Counters (XP):

– SYSTEM\CurrentControlSet\Control\Windows – SYSTEM\CurrentControlSet\Control\Watchdog\Display

SYSTEM HIVE

slide-22
SLIDE 22

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Operating System Version:

– SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE HIVE

slide-23
SLIDE 23

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Historical Networks (Vista/7/8):

– Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures \Managed – DnsSuffix = Domain – FirstNetwork = SSID – DefaultGatewayMac = Media Access Control (MAC) Address of Gateway – Last Written Time = Last time the computer connected to this network.

SOFTWARE HIVE

slide-24
SLIDE 24

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Historical Networks (Vista/7/8):

– Not Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Signatures\Unmanaged

SOFTWARE HIVE

slide-25
SLIDE 25

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Network Type:

– SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} (XP) – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Profiles (Vista/7/8) » NameType 0x47 = Wireless » NameType 0x06 = Wired » NameType 0x17 = Broadband » Date fields are recorded as 128-bit System date …. use Dcode to convert.

SOFTWARE HIVE

slide-26
SLIDE 26

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Various Registry Locations:

– NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\Run – SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run – SYSTEM\CurrentControlSet\Services

  • (0x02 = start)

AUTO-START PROGRAMS

slide-27
SLIDE 27

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Windows XP Search History

– NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru

  • Windows 7 Search History

– NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \WordWheelQuery

  • Windows 8 Search History

– NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \SearchHistory

NTUSER.DAT HIVE

slide-28
SLIDE 28

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Internet Explorer Typed URLs

– NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \TypedPaths

NTUSER.DAT HIVE

slide-29
SLIDE 29

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Recently Accessed Files

– NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \RecentDocs – MRUList shows the order in which the files were accessed. – The most recent file opened will be first.

NTUSER.DAT HIVE

slide-30
SLIDE 30

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Microsoft Office Recent Documents
  • NTUSER.DAT\Software\Microsoft\Office\14.0\Word\FileMRU
  • NTUSER.DAT\Software\Microsoft\Office\14.0\Excel\FileMRU
  • NTUSER.DAT\Software\Microsoft\Office\14.0\Powerpoint\FileMRU
  • Office XP - Version 10.0
  • Office 2003 - Version 11.0
  • Office 2007 - Version 12.0
  • Office 2010 - Version 14.0

NTUSER.DAT HIVE

slide-31
SLIDE 31

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Common Dialogs API (ComDlg32)
  • Open and Save As APIs
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\ComDlg32\OpenSaveMRU (XP)

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\ComDlg32\OpenSavePidMRU (Vista/7/8)

NTUSER.DAT HIVE

slide-32
SLIDE 32

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Common Dialogs API (ComDlg32)
  • Last Visited - records specific executable used to open the files along with the

directory that was last accessed.

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\ComDlg32\LastVisitedMRU (XP)

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\ComDlg32\LastVisitedPidMRU (Vista/7/8)

NTUSER.DAT HIVE

slide-33
SLIDE 33

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Commands Executed from the Run Box
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer

\RunMRU

  • MRU List provides the order in which the commands were executed.

NTUSER.DAT HIVE

slide-34
SLIDE 34

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • UserAssit
  • Records what application(s) a user has run, when and how many

times:

– NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer \UserAssist\{GUID}\Count

  • Valuable resource to determine user activity and technical knowledge.
  • Values are encoded using a simple substation cipher (ROT13).
  • Run count starts a 6(?) …. some viewers will automatically adjust this

value so it is important to know what your tool is doing

  • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} = Executable File
  • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} = Shortcut File

Execution

NTUSER.DAT HIVE

slide-35
SLIDE 35

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • UserAssit
  • Win XP/Vista
  • All values begin with
  • UEME_RUNPATH
  • Launched from the Absolute Path
  • UEME_RUNCPL
  • Launched from the Control Panel Applet
  • UEME_RUNPIDL
  • Launched from a Shortcut
  • UEME_UIQCUT
  • Launched from the Quick Launch Menu
  • UEME_UISCUT
  • Launched from a Desktop Shortcut
  • UEME_UITTOOLBAR
  • Launched from the Windows Explorer Toolbar

NTUSER.DAT HIVE

slide-36
SLIDE 36

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • UserAssit
  • Win 7/8
  • http://www.aldeid.com/wiki/Windows-userassist-keys#Translation_of_directories

NTUSER.DAT HIVE

slide-37
SLIDE 37

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • MUICache
  • Multi-language User Interface
  • One more location to see if a program was executed even if the

program was uninstalled.

  • Timestamps are not recorded as each program is a value.
  • Win XP
  • NTUSER.DAT\Software\Microsoft\Windows

\ShellNoRoam\MUICache

  • Win 7/8
  • USRCLASS.DAT\Local Settings\Software\Microsoft

\Windows\Shell\MuiCache

  • Consider processing Volume Shadow Copies (VSC)

NTUSER.DAT HIVE

slide-38
SLIDE 38

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • https://code.google.com/p/regripper/wiki/RegRipper

RegRipper

slide-39
SLIDE 39

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

RegRipper

slide-40
SLIDE 40

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

RegRipper Plugins

  • List All Plugins
  • rip -l
slide-41
SLIDE 41

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

RegRipper Plugins

slide-42
SLIDE 42

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • USB devices are commonly used to transferring data.
  • Determine how the user is using the system
  • Identify other devices that may be important to the investigation
  • Determine the first time a USB drive was connected to the

system.

  • Determine the last time a USB drive was connected to the

system.

  • Artifact Locations:

USB FORENSICS

XP/Vista/7/8 C:\Windows\System32\config\SYSTEM XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE XP C:\Documents and Settings\<USERNAME>\NTUSER.dat Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat XP C:\Windows\setupapi.log Vista/7/8 C:\Windows\inf\setupapi.dev.log

slide-43
SLIDE 43

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Device’s serial number
  • SYSTEM\CurrentControlSet\Enum\USBSTOR

– Vendors “should” manufacture USB devices with unique serial numbers. – Not all devices comply with the standard – Devices that do not have a unique serial number will have an “&” as the 2nd character. – “Last Written Date” is the first time the device was connected to the system since the last reboot.

USB FORENSICS

slide-44
SLIDE 44

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Device’s Volume Name (Windows 7/8)
  • SOFTWARE\Microsoft\Windows Portable Devices\Device

USB FORENSICS

slide-45
SLIDE 45

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Device’s Mapped Drive Letter (Windows XP/7/8)
  • SYSTEM\MountedDevices
  • Windows XP uses the device’s ParentIdPrefix

USB FORENSICS

slide-46
SLIDE 46

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Determine which user used the USB device (Windows 7/8)
  • SYSTEM\USBSTOR\<DEVICE>\<Serial#>\Device

Parameters\Partmgr

USB FORENSICS

slide-47
SLIDE 47

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Determine which user used the USB device 2 (Windows 7/8)
  • SYSTEM\MountedDevices

USB FORENSICS

slide-48
SLIDE 48

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Determine which user used the USB device (Windows 7/8)
  • NTUSER.DAT\Software\Microsoft\Windows

\CurrentVersion\Explorer\Mountpoints2

USB FORENSICS

slide-49
SLIDE 49

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • When was the USB device first used? (Windows 7/8)
  • C:\Windows\inf\setupapi.dev.log

USB FORENSICS

slide-50
SLIDE 50

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • When was the USB device last used? (Windows 7/8)
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion

\Explorer\MountPoints\{GUID}

  • Key’s Last Write Timestamp

USB FORENSICS

slide-51
SLIDE 51

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

USB FORENSICS - AUTOMATED

  • USBDeviceForensics
  • http://www.woanware.co.uk/forensics/usbdeviceforensics.html
slide-52
SLIDE 52

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

USB FORENSICS - AUTOMATED

slide-53
SLIDE 53

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  • Store user specific preferences for Windows Explorer.
  • Shows browsing habits and knowledge of content by a user.
  • Uncover evidence of a deleted folder structure.
  • Registry Location:
  • The following changes will cause a ShellBag key to be updates:
  • Window Size
  • View Options
  • Viewing File in Thumbnail Format
  • Sorting Options

SHELL BAGS

XP/Vista/7/8 USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags XP/Vista/7/8 USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsMRU XP/Vista/7/8 NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU XP/Vista/7/8 NTUSER.DAT\Software\Microsoft\Windows\Shell\Bag

slide-54
SLIDE 54

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-55
SLIDE 55

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-56
SLIDE 56

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-57
SLIDE 57

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-58
SLIDE 58

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-59
SLIDE 59

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-60
SLIDE 60

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-61
SLIDE 61

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-62
SLIDE 62

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

SHELL BAGS

slide-63
SLIDE 63

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

EXTRACTING SHELLBAGS

  • sbag.exe
  • Download - https://www.tzworks.net/download_links.php
  • Info - https://www.tzworks.net/prototype_page.php?

proto_id=14

slide-64
SLIDE 64

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

EXTRACTING SHELLBAGS

slide-65
SLIDE 65

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

EXTRACTING SHELLBAGS