Registry Analysis
| | ||
| | ||
| | ||
There are four primary methods of analyzing the registry in a forensic analysis of a system (five if the real-time analysis provided by Regmon is included):
-
Perform a live system analysis graphically. This method is the easiest but the least forensically sound. Opening the registry using regedit on the target system will show the easiest to traverse view of the registry, but allows for the accidental or intentional altering of data when viewing, in addition to a very small amount of memory overwrite (or paging file) to run the program (around 250K).
-
Perform a live system analysis using the command line. Command line analysis allows for a lower profile (and less risky) gathering of registry information, with some loss of interactivity. The reg command can be used to gather specifics on a given set of keys determined beforehand and placed in a batch file or an entire registry section (recursively printing values) as needed.
-
Perform a live systems analysis remotely. Regedit provides the ability to connect to a remote registry, provided the appropriate permissions are present. This enables an administrator to examine a registry on a remote system without directly alerting the user. Likewise, the use of a Null session connection (such as that used by Superscan from Found-stone) will allow the enumeration of several registry keys, including user lists and information on current users.
-
Perform an offline analysis on registry files. EnCase is able to parse the raw registry files on acquired drives . This allows for the offline analysis of registry information in a completely forensically sound manner. Although this is the most sound mechanism, it is also the least fruitful. Any dynamic information is lost, the structure is more difficult to navigate, and the links are missing (for example, the HKEY_CURRENT_USER linkage).
When analyzing the registry, numerous values are relevant to a wide range of investigations. A few of the key values, and the types of investigations they are relevant in, are detailed in the following sections.
General
Several registry keys are examined in numerous types of investigations. They are not necessarily specific to a given area; however, they are relevant to a number of investigations. These keys include basic system information (who used the system and what applications are installed) and more detailed information on key system areas (what hardware was installed and what drives were mounted). Table 6-1 lists these general registry keys.
| NAME | DESCRIPTION |
|---|---|
| HKCR\*\(Default) | Provides the name of the application handler associated with a file extension. Looking up the application handler name may provide the associated executable. When unknown file extensions are encountered (or extensions appear to be mapped oddly), they can be traced to an executable here. |
| HKCU\Control Panel\* | Stores all of the control panel settings under subkeys. If a particular control panel setting needs to be known for an investigation (such as whether or not the Wallpaper setting under Desktop points to a Victoria's Secret image), this is the location to check. All of the entries under HKEY_CURRENT_USER apply to all of the subkeys of HKEY_USERS. |
| HKCU\Network\* | Lists drives mapped as persistent (restored at login). Each drive letter under Network refers to a mapped drive on the system. Non-persistent drives are not. |
| HKCU\Printers\DevModePerUser | Shows any printers defined by the system for the current, including network printers. If this key is not present, no Printers have been added to the system. |
| HKCU\Volatile Environment | Stores environment variables for the current session on XP/2003. |
| HKCU\Software\* and HKLM\Software\* | Refer to software installed on the system. Software that has been deleted or uninstalled frequently leaves registry keys with user settings or machine settings after removal. |
| HKCU\Software\Microsoft\Internet Account Manager\Accounts\* | Stores the settings for Outlook Express mail accounts under the numbered subdirectories. SMTP and POP3 servers as well as user names and email addresses are present. |
| HKCU\Software\Microsoft\NTBackup | Provides details, in log file subkeys, on the last time a backup was run on the NT line of software. This data indicates the possible presence and timeframe for tapes or other media to be present. |
| HKCU\Software\Microsoft\ Windows \CurrentVersion\Explorer\ComputerDescriptions | Caches comments of servers the user has browsed (but not necessarily connected. Windows XP and 2003 machines include additional comments about a server in addition to the server name in a browse list. |
| HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices and \PrinterPorts and \Windows and HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers | Lists printers set up under the current system for Windows NT-based systems. |
| HKLM\Hardware\Devicemap\Scsi\ | Contain individual entries for peripheral devices attached to both the SCSI and IDE bus on NTbased systems, including CD-ROM, Zip, and hard disks. |
| HKLM\Network\Logon\ | Lists the different logon profiles that appear on the startup screen for a given machine on Windows 9x machines. |
| HKLM\SAM\SAM\Domains\Account\ | Lists names for Users and Groups (under the/Names subkey of their respective areas, if permissions allow viewing the SAM key on NTbased systems. |
| HKLM\Software\ Microsoft\Updates | Lists the installed updates with installation dates for Windows XP and 2003re. This can be useful in disproving virus or worm susceptibility, or showing a pattern of regular security updating. |
| HKLM\Software\ Microsoft\Windows\ CurrentVersion\Uninstall | Lists all installed programs under subkeys. Sometimes uninstalled programs will leave remnants here for the investigator to find. |
| HKLM\Software\Microsoft\ WindowsNT\CurrentVersion\ Network Cards | Shows network cards the system is aware of on NT-based systems. Previously removed network cards may still be listed. |
| HKLM\System\ CurrentControlSet\Control\ ComputerName | Lists the name of the computer assigned by the user. |
| HKLM\System\ CurrentControlSet\Control\ Print\Printers | Displays printer information on installed printers for all Windows versions. |
| HKLM\System\ CurrentControlSet\Control\ TimeZoneInformation | Shows the time zone set for the computer. For large enterprises , this may indicate the nationality or location of the user. |
| HKLM\System\ CurrentControlSet\Enum | Lists information on current and previously installed hardware. |
| HKLM\System\ CurrentControlSet\Enum\ USBSTOR | Lists any USB storage devices (for example, DVD-Rs or flash drives), even after the device has been disconnected. |
| HKLM\System\ CurrentControlSet\Services | Lists all of the current services installed. A Start value of 2 indicates automatic startup, 3 indicates manual. |
| HKLM\System\ MountedDevices | Lists the mounted drive letters and volume names, including those of previously mounted devices. |
| Tip | Common file types to search for when looking for burned CDs include RCL for Roxio EZ-CD Creator compilations, ISO, IMG, .BIN for actual images, and CUE files for tables of contents. To view the files without burning a CD, WinISO from http://www.winiso.com can be useful. |
| |
One of our department managers made allegations that an individual from IT was copying confidential company information to DVD-R and removing if from the company. We were asked to confirm the individual had a DVD burner and had made copies, in addition to confirming the contents of what may have been copied .
Searching the corporate asset management records produced no CD or DVD burner issued to the suspect or his department. A subsequent physical search of the suspect's area likewise turned up no burners. The suspect's laptop was acquired forensically and brought back to the lab for analysis.
Prior to analyzing the laptop, the subject was questioned regarding the use of a CD or DVD burner on his laptop. He denied ever possessing a CD or DVD burner or connecting one to his laptop.
The registry of the laptop was viewed and showed a USB device in the list of prior connections with a device name of PLEXTOR DVDR PX-708A USB Device under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR. Likewise, a search of the software keys indicated a key labeled HKEY_LOCAL_MACHINE\Software\Ahead\NeroBurning Rom, which corresponded with the name and company of a popular CD/DVD authoring tool: Nero Burning ROM.
A search for Nero compilation files (.nrc) found numerous files presents . Likewise, a search for other compilation and disk files turned up numerous volumes , including several dozen ISO image files.
Opening the compilation files in the respective programs revealed numerous DVD-R movies had been burned to CD. Likewise, opening the actual image files found they contained both DVD-format and AVI format versions of copyrighted movies.
There was no evidence of company information being burned to disk. That said, the employee's use of company equipment to download and subsequently burn copyrighted material, coupled with his decision to lie about using a CD/DVD burner, resulted in his termination.
| |
Folder Locations
The key folders on Microsoft systems are the most likely location for files of interest in an investigation. These folders include the My Documents folder (and My Music/My Pictures folders), the Startup folder, the Recent folder, and the Internet folders (Cache, History, Favorites and Cookies).
The default locations of these folders are noted in the previous chapters. By altering registry settings, an individual user can change these folders, generally for legitimate reasons (for example, storing My Documents on a separate partition). By confirming the locations of these folders, an investigation can be directed at target locations for initial analysis. Table 6-2 lists the folder location registry keys.
| NAME | DESCRIPTION |
|---|---|
| HKCU\Environment\ Tmp & Temp | Identifies the environment variables that provide the location of the Windows temp directories. The temp directories are likely locations for temporary copies of files that may or may not exist elsewhere. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders\* | Enables users to change the locations of specific folders, such as My Documents, Recent, and Startup through the various subkeys. Changing these folder locations changes the links from all locations that point to the particular special folder. When conducting an investigation, the computer investigator needs to confirm the contents of the folder in addition to confirming what that folder is associated with (for example, if the Startup folder is redirected, programs may be executing at startup from that new location). |
| HKLM\Software\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders\* | Contains the links relevant to folders used by All Users. These can likewise be redirected to point to alternate file system locations for malicious or legitimate reasons. |
| HKLM\System\ CurrentControlSet\Control\ Hivelist | Identifies the locations of registry hive files on Windows XP and 2003. |
Determining what files, folders, or applications were most recently used is a key task in investigations. Showing that an individual opened a file, saved a file, or searched for a file can prove the suspect knew the file existed (or even created the file, in the case of Save As lists). Sometimes a suspect will delete a file after viewing it. Unless explicitly cleared, the file name may still appear in the Most Recently Used (MRU) registry keys.
Many of the MRU listed in Table 6-3 contain subkeys with single letter names in addition to a key called MRUList with a list of letters. For the MRUList key, the most recently opened item will be designated by the first letter listed on the left, with the next most recent following, through the end of the list.
| NAME | DESCRIPTION |
|---|---|
| HKCU\Software\Microsoft\ Internet Explorer\TypedURLs | Shows any URLs typed into the address bar in Internet Explorer, including local links. These URL's have been typed by a user (as opposed to being clicked on or generated by spyware), and can be used to disprove spyware defenses. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Applets\Wordpad\ Recent File List | Displays the most recent files opened up in Wordpad. Notepad does not have a specific MRU list. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Applets\Paint\ Recent File List | Shows the most recent files opened in Paint. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\RunMRU | Lists the most recently typed items in the Run box. Any programs run directly from the command line instead of the Run dialog box are not shown. Programs a suspect may have launched and then deleted might be listed in this key. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\RecentDocs\* | Lists, under subkeys, the most recently opened documents from Explorer associated with a specific extension. Separate from the Recent Documents Start Menu item, searches for a given file or files of a particular extension may show the user recently opened files here. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\StreamMRU | Stores the windows size and location of the most recently used files. Although the size and location may not matter, the file name associated with the Window may show that file was present and opened on a specific machine. This key is rarely cleaned, even when users go through the registry to delete items. Likewise, because the file names are sometimes padded with other characters , a simple text search in RegEdit will not turn them up. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\ComDlg32\ LastVisitedMRU | Shows the most recently opened folders for a given executable (opened from a common dialog box). Showing what folders an application was using can indicate that a user was aware of their existence and opened something from them, although what was opened is not listed. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\ComDlg32\ OpenSaveMRU | Lists the most recently opened files from a common dialog box, grouped by extension. A list of the most recently opened files with any extension are listed under the * key. The presence of a given file here indicates that the user knowingly opened that file for use, viewing, or editing. These keys are not available on Windows NT. |
| HKCU\Software\Microsoft\ MediaPlayer\Player\ RecentFileList | Shows the most recent files opened by Media Player. Media Player can be used to play songs, videos , and other content (such as DVDs). |
| HKCU\Software\Microsoft\ MSPaper\Recent File List | Lists all recent faxes or images with a .tif extension opened by Microsoft Picture and Fax Viewer. The Microsoft Picture and Fax Viewer is the default viewer for TIF images on XP. |
| HKCU\Software\Microsoft\ Search Assistant\ACMru | Contains the most recently typed items from the Search Assistant dialog box. Items searched for using the older Find Files or Folders dialog box are located in HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\Doc Find Spec MRU. |
| HKCU\Software\Microsoft\ Office\<Version Number>\ Common\OpenFind\* | Under each of the applications will be a list of the most recently opened and saved files for each Microsoft Office application. Additionally, under the HKCU\Software\Microsoft\Office\Version Number\App Name key, there may be an additional Recent Files key, which lists the most recent files opened by that application depending on the Office version. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\ Map Network Drive MRU | Shows the most recent network drives mapped by the computer. |
In addition to the Microsoft-specific MRU lists, installed applications may have their own most recently used keys. The most likely location for these is under the HKEY_CURRENT_USER\Software\ AppName hierarchy.
Startup Items
Spyware, viruses, and other malicious code will frequently continue to infect a computer after a reboot. To accomplish this, the code needs to be run automatically unless it is associated with a file the user is expected to reopen frequently, such as a mail file or common executable. The Windows Registry contains numerous locations from which code can automatically be run; the most common of these locations are detailed in Table 6-4. Anything suspicious found in these keys may require further investigation, but many legitimate programs also make use of these keys.
| NAME | DESCRIPTION |
|---|---|
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ Run\ | Identifies any user-specific software set to run the next time that individual logs in. This is less frequently used than the HKEY_LOCAL_MACHINE keys, as it is user-dependent. |
| HKLM\Software\Microsoft\ Windows\CurrentVersion\ Run\ | Shows the items that are automatically executed on every system logon. This is the old favorite location for malware to start but is becoming less commonly used as malware authors are hiding their software in more obscure key locations. |
| HKLM\Software\Microsoft\ Windows\CurrentVersion\ RunOnce\ | Lists executables set to be run once and then deleted from the registry. This is frequently used by two-part installers requiring a reboot between each part. Malware can use this key by placing a link to the offending code in it, then adding it back after automatic removal. |
| HKLM\Software\Microsoft\ Windows\CurrentVersion\ RunOnceEx | Lists executables set to be run once and then deleted from the registry. Generally used for unattended system installations on Windows XP, RunOnceEx can be used for malicious code the same was as the above RunOnce key. |
| HKCU\Software\Microsoft\ Windows\CurrentVersion\ RunServices HKCU\Software\Microsoft\ Windows\CurrentVersion\ RunServicesOnce HKLM\Software\Microsoft\ Windows\CurrentVersion\ RunServices HKLM\Software\Microsoft\ Windows\CurrentVersion\ RunServicesOnce | Lists services set to run automatically at startup either once or every time. These keys can be used to trigger executables before a user logs on. These keys are not always present, but can be created by the programs taking advantage of them. |
| HKCU\Software\Microsoft\ WindowsNT\CurrentVersion\ Windows\Load | This is a lesser-known key. It is used sometimes, because it does not require the creation of a new subkey and is less frequently examined. |
| HKLM\Software\Microsoft\ Windows\CurrentVersion\ Policies\Explorer\Run HKLM\Software\Microsoft\ Windows\CurrentVersion\ Policies\Explorer\Run | Lists programs associated with Windows Explorer that are permitted to run automatically when the users logs in. The HKEY_CURRENT_USER key is associated with a particular user, while the other key runs with any user. |
| HKLM\Software\Microsoft\ WindowsNT\CurrentVersion\ Winlogon\Userinit | Contains the userinit.exe executable (which is legitimate). However, it can also contain other names separated by commas. As this key is not generally used by legitimate programs, any entry other than userinit.exe should be viewed with suspicion. |
| HKLM\Software\Microsoft\ Windows\CurrentVersion\ Explorer\SharedTaskScheduler | Shows tasks scheduled to be run at startup onthe Windows NTbased operating systems (not Windows 9x). There are generally a few legitimate Windows-generated keys in this hierarchy. |
| |
Windows has numerous locations from which programs can be launched automatically at startup. In addition to the standard registry locations detailed earlier, there are numerous other points from which an application can be launched. These include:
-
The Startup folders under individual user profiles:
-
C:\Documents and Settings\ Profile Name \Start
Menu\Programs\Startup by default on Windows 2000/XP/2003
-
%SYSTEMROOT%\Profiles\ Profile Name \Start Menu\Programs\ on Windows NT
-
-
The Startup folders for all profiles:
-
C:\Documents and Settings\All Users\Start Menu\Programs\Startup by default on Windows 2000/XP/2003
-
%SYSTEMROOT%\Profiles\All Users\Start Menu\Programs\ on Windows NT
-
%SYSTEMROOT%\Start Menu\Programs\ on Windows 9 x
-
-
The legacy DOS program and driver autoload locations:
-
C:\autoexec.bat
-
C:\config.sys
-
-
The Windows autostart files:
-
%SYSTEMROOT%\winstart.bat
-
%SYSTEMROOT%\wininit.ini
-
-
The Windows configuration files:
-
%SYSTEMROOT%\win.ini (listed under load and run in the [windows] key)
-
%SYSTEMROOT%\system.ini (listed under shell and scrnsave.exe in the [boot] key)
-
-
The legacy DOS-mode startup file (on Windows 9 x ):
-
%SYSTEMROOT%\dosstart.bat
-
-
The application environment files for 16-bit applications (on Windows NTbased systems):
-
%SYSTEMROOT%\System32\autoexec.nt
-
%SYSTEMROOT%\System32\config.nt
-
-
As Windows Services:
-
Any services with a Startup type of Automatic in the Services list
-
In addition to the above locations, applications can be automatically started from other applications, from other application shortcuts, and through component controls (such as those in Internet Explorer).
To easily view the majority of programs that start automatically, SysInternals provides the program Autoruns. A screenshot of Autoruns output is shown in the following figure. Additionally, for live system forensic analysis, a command line version (autorunsc) is included.
Autoruns Output
| |
Intelliforms
Microsoft Internet Explorer 5.0 introduced the Autocomplete feature to allow users to easily store and automatically fill out form entries online. Autocomplete uses a Microsoft technology called Intelliforms. The technology itself matches the name on a form input field to a group of values stored in the registry. These registry entries are then queried when a website with similar fields is opened.
Intelliforms can store all information typed into forms on a web browser. This includes credit card numbers , passwords, addresses, and other pieces of information critical to an investigation. To protect this information, Microsoft encrypts any registry entries stored for Intelliforms use and places them under the registry key HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\. This key is accessible only to the SYSTEM account by default, and the data is not viewable except in encrypted form even with the proper permissions granted.
To access Intelliforms information as well as other encrypted registry entries, the investigator can refer to a few products, including Windows Secret Explorer, which works on both live systems and registry files (see Figure 6-3).
Figure 6-3: Windows Secret Explorer decryption
The entries shown correspond to the field firstname and the different entries typed into fields of that name. If an investigator needs to find out what was typed into a particular field on a URL and Autocomplete was turned on, the investigator can open the page in question, view the HTML code, and find the name of the relevant text box (which should be a tag labeled <input type=text name=nnnn> where nnnn is the name of the field). The textarea tags are also common form elements, which may have names associated with them. Armed with the name of the tag, Windows Secret Explorer can then be used to directly view the values typed into that field.
| | ||
| | ||
| | ||
EAN: 2147483647
Pages: 71