Upload
mohd-zahari-zainal-abidin
View
229
Download
2
Embed Size (px)
DESCRIPTION
Computer Forensic
Citation preview
7/21/2019 Windows Registry Analysis
1/62
Windows Registry Analysis
Computer Forensics, 2013
7/21/2019 Windows Registry Analysis
2/62
Registry Analysis
Registry is central database of Windowssystems Conguration of system
Information about user activity
applications installed and opened window positions and sizes
to provide user with a better experience
Information is time-stamped
7/21/2019 Windows Registry Analysis
3/62
Registry Analysis
Used to get systems information xample! "ystem has no prefetch les
Investigate the corresponding registry #ey $icrosoft #nowledge base %&'()* +,./0C1/.$1C+I23""4$3CurrentControl"et3Control3"
ession $anager3$emory $anagement35refetch5arameters
Used to establish timelines of activity
7/21/2019 Windows Registry Analysis
4/62
Registry Analysis
What if there are no values6 71bsence of evidence is not evidence of absence8
9g9! 1ntiforensics! Windows washer removes registryentries /ast runtime of Windows washer becomes evidence
9g9! $alware dll not loaded through registry :ut could be loaded through some other mechanism; such
as a shell extension
7/21/2019 Windows Registry Analysis
5/62
Registry Analysis
Contents! :asic structure remains xed
/ocation of values changes
"torage location depends on hiveand system
$ain hives in Windows3system%>3cong 0ther in system%>3cong
User information in 24U"R9dat hive in User 5role
5arts are volatile!
5opulated when need arises +,.CURR24.U"R; +, +,./0C1/.$1C+I23"ystem +,.C/1""".R004
7/21/2019 Windows Registry Analysis
6/62
Registry Analysis ,ey Cell "tructure &-% "ize
(-? 2ode I@
A-' 2ode 4ype
*-B? /astWrite 4ime
Dalue Cell "tructure &-% "ize
(-? 2ode I@
A-' Dalue name length
*-BB @ata length B>-B? 0Eset to data
BA->& Dalue type
7/21/2019 Windows Registry Analysis
7/62
Registry Analysis Tools
/ife 1nalysis regedit9exe
2ative tool
7/21/2019 Windows Registry Analysis
8/62
Registry Analysis Tools
Autoruns
7/21/2019 Windows Registry Analysis
9/62
Registry Analysis Tools
Registry $onitoring 0bserve changes to the registry while interacting
with system
Regshot
Reg$on
7/21/2019 Windows Registry Analysis
10/62
Registry Analysis Tools
Forensics 1nalysis :uild into tools 5ro@iscover G ncase; F-Response;
F4,
RegRipper; RI59pl; regslac#
7/21/2019 Windows Registry Analysis
11/62
7/21/2019 Windows Registry Analysis
12/62
Registry Organization
7/21/2019 Windows Registry Analysis
13/62
Windows Security and Relative ID
4he Windows Registry utilizes aalphanumeric combination to uniHuelyidentify a security principal or securitygroup9
4he "ecurity I@
7/21/2019 Windows Registry Analysis
14/62
SID Examples
"I@! "-B-&2ame! 2ull 1uthority@escription! 1n identier authority9 "I@! "-B-&-&
2ame! 2obody@escription! 2o security principal9
"I@! "-B-B2ame! World 1uthority@escription! 1n identier authority9
"I@! "-B-B-&2ame! veryone@escription! 1 group that includes all users; even anonymous users and
guests9 $embership is controlled by the operating system9 "I@! "-B->
2ame! /ocal 1uthority@escription! 1n identier authority9
"I@! "-B-%2ame! Creator 1uthority@escription! 1n identier authority9
7/21/2019 Windows Registry Analysis
15/62
SID
"ecurity I@ 24G>&&&G5G>&&% +,/$J"1$J@omainsJ1ccountsJ1liasesJ$embers
This key will provide information on the computer identier
+,/$J"1$J@omainsJUsers This key will provide information in hexadecimal
User I@ 1dministrator K ?&& Luest K ?&B
Llobal Lroups I@ 1dministrators K ?B> Users K ?B% Luest - ?B(
7/21/2019 Windows Registry Analysis
16/62
MRU
4o identify the $ost Recently Used &&%
+,UJUser"I@J"oftwareJ$icrosoftJWindowsJ
CurrentDersionJxplorerJRecent@oc "elect le extension and select item
7/21/2019 Windows Registry Analysis
17/62
Registry Forensics
Registry #eys have last modied time-stamp "tored as FI/4I$ structure li#e $1C for les
2ot accessible through reg-edit
1ccessible in binary9
7/21/2019 Windows Registry Analysis
18/62
Registry Forensics
Registry 1nalysis! 5erform a LUI-based live-system analysis9
asiest; but most li#ely to incur changes9
Use regedit9 5erform a command-line live-system analysis
/ess ris#y Use 7reg8 command9
Remote live system analysis
regedit allows access to a remote registry "uperscan from Foundstone
0Mine analysis on registry les9 ncase; F4,
7/21/2019 Windows Registry Analysis
19/62
Registry Forensics
Websites
7/21/2019 Windows Registry Analysis
20/62
Registry Forensics: NTUSER.DAT
10/ Instant $essenger 1way messages File 4ransfer N "haring /ast User
5role Info
Recent Contacts Registered Users
"aved :uddy /ist
7/21/2019 Windows Registry Analysis
21/62
Registry Forensics: NTUSER.DAT
ICO I$ contacts; le transfer info etc9 User Identication 2umber
/ast logged in user
2ic#name of user
7/21/2019 Windows Registry Analysis
22/62
Registry Forensics: NTUSER.DAT
Internet xplorer I auto logon and password I search terms
I settings
4yped UR/s 1uto-complete passwords
7/21/2019 Windows Registry Analysis
23/62
Registry Forensics: NTUSER.DAT
IE explorer Typed URLs
7/21/2019 Windows Registry Analysis
24/62
Registry Forensics: NTUSER.DAT
$"2 $essenger I$ groups; contacts; /ocation of message history les
/ocation of saved contact list les
7/21/2019 Windows Registry Analysis
25/62
Registry Forensics: NTUSER.DAT
Last member name in MSN messenger
7/21/2019 Windows Registry Analysis
26/62
Registry Forensics: NTUSER.DAT
0utloo# express account passwords
7/21/2019 Windows Registry Analysis
27/62
Registry Forensics
ahoo messenger Chat rooms 1lternate user identities
/ast logged in user
ncrypted password Recent contacts
Registered screen names
7/21/2019 Windows Registry Analysis
28/62
Registry Forensics
"ystem! Computer name @ynamic dis#s Install dates /ast user logged in $ounted devices Windows 0" product #ey Registered owner 5rograms run automatically
"ystemPs U": devices
7/21/2019 Windows Registry Analysis
29/62
Registry Forensics
7/21/2019 Windows Registry Analysis
30/62
Registry Forensics
USB Devices
7/21/2019 Windows Registry Analysis
31/62
Registry Forensics
2etwor#ing /ocal groups /ocal users
$ap networ# drive $RU
5rinters
7/21/2019 Windows Registry Analysis
32/62
Registry Forensics Winzip
7/21/2019 Windows Registry Analysis
33/62
Registry Forensics
/ist of applications and lenames of the mostrecent les opened in windows
7/21/2019 Windows Registry Analysis
34/62
Registry Forensics
$ost recent saved
7/21/2019 Windows Registry Analysis
35/62
Registry Forensics
"ystem Recent documents Recent commands entered in Windows run box
5rograms that run automatically
"tartup software Lood place to loo# for 4roQans
7/21/2019 Windows Registry Analysis
36/62
Registry Forensics
User 1pplication @ata 1dobe products I$ contacts "earch terms in google
,azaa data Windows media player data Word recent docs and user info 1ccess; xcel; 0utloo#; 5owerpoint recent les
7/21/2019 Windows Registry Analysis
37/62
Registry Forensics
Lo to 1ccess @ataPs Registry Ouic# Find Chart
7/21/2019 Windows Registry Analysis
38/62
Registry Forensics
Case "tudy
7/21/2019 Windows Registry Analysis
39/62
Registry Forensics
Intelliform! 1utocomplete feature for fast form lling
Uses values stored in the registry +,.CURR24.U"R3"oftware3$icrosoft35rotected
"torage "ystem 5rovider
0nly visible to ""4$ account
1ccessible with tools such as Windows "ecretxplorer9
i i
7/21/2019 Windows Registry Analysis
40/62
Registry Forensics:
AutoStart Viewer (DiamondCS)
7/21/2019 Windows Registry Analysis
41/62
Registry Research
Use RL$02
7/21/2019 Windows Registry Analysis
42/62
Registry Forensics Investigation
Forensics tools allow registry investigation fromimage of drive
@iEerences between life and oMine view 2o +1R@W1R hive
7/21/2019 Windows Registry Analysis
43/62
Registry Forensics Investigation
Forensics search can reveal bac#ups ofregistry Intruders leave these behind when resetting
registry in order not to damage system
7/21/2019 Windows Registry Analysis
44/62
Registry Forensics Investigation
4ime is Universal 4ime Coordinated a9#9a9 Sulu
a9#9a Lreenwhich 4ime
7/21/2019 Windows Registry Analysis
45/62
Registry Forensics Investigation
"oftware ,ey Installed "oftware
Registry #eys are usually created with installation :ut not deleted when program is uninstalled Find them
Root of the software #ey :eware of bogus names
+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows3CurrentDersion31pp 5aths
+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows3CurrentDersion3Uninstall
If suspicious; use information from the registry to nd theactual code
Registry time stamps will conrm the le $1C data or showthem to be altered
7/21/2019 Windows Registry Analysis
46/62
Registry Forensics Investigation
"oftware ,ey /ast /ogon
+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows
243CurrentDersion3Win/ogon /ogon :anner 4ext G /egal 2otice +,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows
243CurrentDersion3Win/ogon
"ecurity Center "ettings +,./0C1/.$1C+I23"0F4W1R3$icrosoft3"ecurity Center +,./0C1/.$1C+I23""4$3CurrentControl"et3"ervices3"har
ed1ccess35arameters3Firewall5olicy If rewall logging is enabled; the log is typically at "ystemRoot
Gprewall9log
7/21/2019 Windows Registry Analysis
47/62
Registry Forensics Investigation
7/21/2019 Windows Registry Analysis
48/62
Registry Forensics Investigation
1nalyze Restore 5oint "ettings Restore points developed for Win $ G 5 Restore point settings at
+,./0C1/.$1C+I23"0F4W1R3$icrosoft3Windows243CurrentDersion3"ystemRestore
Restore points created every R5LlobalInterval valueseconds (h=
Retention period is R5/ifeInterval seconds
7/21/2019 Windows Registry Analysis
49/62
Registry Forensics Investigation
1side! +ow to access restore points Restore points are protected from user; including
administrator 1dministrator can add herGhimself to the access
list of the system volume directory
4urn oE 7Use simple le sharing8 in Control 5anel
Folder 0ptions Clic# on 75roperties8 of the directory in xplorer and
7/21/2019 Windows Registry Analysis
50/62
Registry Forensics Investigation
Restore point ma#es copies of important system and programles that were added since the last restorepoints Files
"tored in root of R5 folder 2ames have changed File extension is unchanged 2ame changes #ept in change9log le
Registry data in "napshot folder 2ames have changed; but predictably so
7/21/2019 Windows Registry Analysis
51/62
Registry Forensics Investigation "I@ B->??%>?ABB?->A%%%((%>B-(&'A?))%>(-B&&A " string is "I@ B revision number
? authority level B->??%>?ABB?->A%%%((%>B-(&'A?))%>( domain or local computer
identier B&&A RI@ K Relative identier
/ocal "1$ resolves "I@ for locally authenticated users
7/21/2019 Windows Registry Analysis
52/62
Registry Forensics Investigation
Resolving local "I@s through the Recycle :in
7/21/2019 Windows Registry Analysis
53/62
Registry Forensics Investigation
5rotected "torage "ystem 5rovider data /ocated in 24U"R9@143"oftware3$icrosoft3
5rotected "torage "ystem 5rovider
Darious tools will reveal contents Forensically; 1ccess@ata Registry Diewer
"ecret xplorer
Cain N 1bel
5rotected "torage 5assDiew vB9A%
7/21/2019 Windows Registry Analysis
54/62
Registry Forensics Investigation
$RU! $ost Recently Used +,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3Curr
entDersion3xlorer3Run$RU +,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3Curr
entDersion3xlorer3$ap 2etwor# @rive $RU +,.CURR24.U"R35rinters3"ettings3Wizard3Connect$
RU +,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3CurrentDersion3xlorer3Com@lg%> 5rograms and les opened by them Files opened and saved
+,.CURR24.U"R3"0F4W1R3$icrosoft3"earch
1ssistant31C$ru
7/21/2019 Windows Registry Analysis
55/62
Registry Forensics Investigation
7/21/2019 Windows Registry Analysis
56/62
Registry Forensics Investigation
7/21/2019 Windows Registry Analysis
57/62
Registry Forensics Investigation
7/21/2019 Windows Registry Analysis
58/62
Registry Forensics Investigation
7/21/2019 Windows Registry Analysis
59/62
Registry Forensics Investigation
+,.CURR24.U"R3"0F4W1R3$icrosoft3Windows3CurrentDersion3xlorer3User1ssist3VX3Count R04-B% encoding of data used to populate the
User 1ssist 1rea of the start button Contains most recently used programs
7/21/2019 Windows Registry Analysis
60/62
Registry Forensics Investigation
7/21/2019 Windows Registry Analysis
61/62
Registry Forensics Investigation
1utoRun 5rograms /ong list of locations in registry /ong list of locations outside the registry
"ystem@rive3autoexec9bat "ystem@rive3cong9exe Windir3wininit9ini
Windir3winstart9bat Windir3win9ini Windir3system9ini Windir3dosstart9bat Windir3system3autoexec9nt Windir3system3cong9nt
Windir3system%>3autoch#9exe
7/21/2019 Windows Registry Analysis
62/62
Registry Forensics Investigation
Root#it nabler 1ttac#er can use 1ppInit.@// #ey to run own @//9