Advanced Registry Analysis

The registry keys above provide guidance on how to analyze a registry file when the target keys are known. Many analyses, however, involve finding unknown values in the registry for very specific software packages, including web browsers, peer-to-peer software, spyware, and CD/DVD authoring software.

To find the appropriate registry keys associated with a specific piece of software, there are two mechanisms: using static registry analysis (snapshots) and dynamic registry analysis (monitoring). Static analysis is generally easier to analyze because monitoring produces large amounts of data and requires filtering to be useful. Dynamic analysis provides information that cannot be provided by static analysis such as registry reads (for example, to find licensing information).

Static analysis is performed as follows :

1. The investigator creates a clean operating system installation. VMWare and Microsoft Virtual PC are great for these as the image files for a new build can simply be copied every time a new machine is needed.

2. A copy of the registry is taken using a registry snapshot tool such as RegShot (shown in Figure 6-4).

   
   Figure 6-4: RegShot registry snapshot tool

3. The software package to be analyzed is installed.

4. A second copy of the registry is taken.

5. The first and second copies of the registry are compared and any new or changed entries are noted.

The following listing is a sample output of the keys added from the installation of Firefox version 1.0PR taken with RegShot:

 REGSHOT LOG 1.60 Comments: Datetime:2004/10/19 18:06:27    2004/10/19 18:17:07 Computer:SECURITY  SECURITY Username:  ---------------------------------- Keys deleted:1 ---------------------------------- HKEY_USERS\S-1-5- 21-448539723-1563985344-1202660629-1003\Software\Microsoft\Windows\Curre ntVersion\Explorer\Discardable\PostSetup\ShellNew ---------------------------------- Keys added:17 ---------------------------------- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CHROME\shell\open\ddeexec HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CHROME\shell\open\ddeexec\Application HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CHROME\shell\open\ddeexec\Topic HKEY_LOCAL_MACHINE\SOFTWARE\FullCircle\TalkBack\MozillaOrgFirefox10 Win322004100109 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ Mozilla Firefox (1.0PR) HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox.0PR (en-US) HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox.0PR (en-US)\Main HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox.0PR (en-US)\ Uninstall HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 1.0PR HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 1.0PR\bin HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 1.0PR\Extensions HKEY_USERS\S-1-5-21-448539723-1563985344-1202660629-1003\Software\ Mozilla\Mozilla Firefox.0PR (en-US) HKEY_USERS\S-1-5-21-448539723-1563985344-1202660629-1003\Software\ Mozilla\Mozilla Firefox.0PR (en-US)\Main HKEY_USERS\S-1-5-21-448539723-1563985344-1202660629-1003\Software\ Mozilla\Mozilla Firefox.0PR (en-US)\Uninstall HKEY_USERS\S-1-5-21-448539723-1563985344-1202660629-1003\Software\ Mozilla\Mozilla Firefox 1.0PR HKEY_USERS\S-1-5-21-448539723-1563985344-1202660629-1003\Software\ Mozilla\Mozilla Firefox 1.0PR\bin HKEY_USERS\S-1-5-21-448539723-1563985344-1202660629-1003\Software\ Mozilla\Mozilla Firefox 1.0PR\Extensions 

For dynamic registry analysis, a tool such as Regmon can be used to perform real-time analysis. Dynamic analysis steps are similar to those in static analysis:

1. The investigator creates a clean operating system installation. VMWare and Microsoft Virtual PC are great for these as the image files for a new build can simply be copied every time a new machine is needed.

2. The registry monitoring tool is started.

3. The registry monitoring tool filter is configured to include the process in question.

4. The software package to be analyzed is installed.

5. The registry monitoring results are analyzed. A sample analysis is shown in Figure 6-5.

   
   Figure 6-5: Regmon dynamic analysis