10.7 Registry

10.7 Registry

Windows systems use the Registry to store system configuration and usage details in what are called "keys." Registry files (a.k.a. hives) on Windows 95 and 98 systems are located in the Windows installation directory and are named "system.dat" and "user.dat." The Registry on Windows NT/2000/XP is comprised of several hive files located in "%systemroot%\system32\config" and a hive file named "ntuser.dat" for each user account.

Registry files recovered from an evidentiary system can be viewed using the Windows NT regedt32 command on an examination system using the Load Hive option on the Registry menu. Registry files can also be viewed using third-party applications like EnCase or Resplendent Registrar.^[27] The values in some Registry keys are stored in hexadecimal format but can be converted to ASCII and saved to a text file using the "Save Subtree As" File menu option of regedt32. For instance, the following Registry key shows the names of files that were played recently using Windows MediaPlayer ("< sid > " is substituted for security identifier of the user on the system):

    Key Name: HKEY_USERS\<sid>\Software\Microsoft\MediaPlayer\Player\    RecentURLList               Class Name:         <NO CLASS>               Last Write Time:    5/9/2003 - 1:48 PM               Value 0                 Name:             URL0                 Type:             REG_SZ                 Data:             H:\porn\movie1.avi               Value 1                 Name:             URL1                 Type:             REG_SZ                 Data:             H:\porn\movie2.avi 

The Registry values in this example referenced files on an external, removable hard drive that was not attached to the system when it was collected. Upon finding these references in the Registry, investigators sought and found the external hard drive. Similar Registry keys exist for other programs and for different file extensions as shown here:

    Key Name: HKEY_USER\<sid>\Software\Microsoft\Windows\CurrentVersion\    Explorer\ComDlg32\OpenSaveMRU\zip                Class Name:       Shell                Last Write Time:  5/9/2003- 1:17 PM                Value 0                Name:             a                Type:             REG_SZ                Data:             H:\porn\bodyshots1.zip                <cut for brevity>                Value 9                Name:             j                Type:             REG_SZ                Data:             H:\porn\bodyshots2.zip 

Preview (Chapter 19): Trojan horse programs such as SubSeven and Back Orifice use Registry keys (and other mechanisms) to persist on a system after it is rebooted. The programs give an individual to have full remote control of a computer. Although AntiVirus programs can detect many Trojans in their default state, intruders can modify the programs to avoid detection.

As the name suggests, the "Last Write Time" value indicates when a value in the Registry key was altered or added.

Some keys protect the data they contain, encoding them using a simple cipher such as the one shown here:

    Key Name:    HKEY_USER\<sid>\Software\Microsoft\Windows\CurrentVersion\Explorer\    UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count        Class Name:        <NO CLASS>        Last Write Time:   9/11/2002 - 9:28 AM        Value 1        Name: HRZR_EHACNGU:T:\sebfg\sebfg.ong        Value 2        Name: HRZR_EHACNGU:T:\rapnfr3.rkr 

The first entry refers to "g:\frost\frost.bat" and the second entry refers to "g:\encase3.exe".

^[27]http://www.resplendence.com