Lecture 4

Lecture 4 • User login • User Activity • Typed URLs • IE info • User Assist key • MRU list • Search Assistant • Connection to other system • Recycle bin • Win 7 Registry • Session manager • Swap files • Prefetch utility • Security • Software • Uninstalled software • Autostart locations

System> The Session Manager • Session Manager: • Executed during startup process, Starts kernel, starts winlogon.exe, starts subsystems in HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems • Stores important information about • System. how memory is used in the computer • Decides: • Are the data in the swapfile overwrited at shutdown? • Where is the swap file located? • What prefetch information are saved?

Swap files? • Swap or page files, are the pages of system memory being swapped out to the hard disk drive during standard system operations. • Pages are 4 kb, being used by RAM. • The pages haven’t been used recently will be swapped in hard so there would be more space in RAM to be used by another programs. • Page files are stored by default in Pagefile.sys file.

Swap files? • In page files potential information like: password; email and decrypted data can be found. • User can turn on the utility to clear the pagefiles after shutdown from: • Key : ControlSET###\Control\Session Manager\Memory Management • Value name: ClearPageFileAtShutdown • By setting it to 1 • “PagingFiles “ value shows the name and the location of the page file.

Session manager System\ControlSet###\Control\Session Manager\Memory Management • The swap files, overwritten or not • 0 = not overwrited • 1 = fill with zeros • Where the swap file is located

Prefetch parameters • PrefetchUtillity : • Monitors eachaplicationas it is initializes. • Records the loading order offilesand mapsthat information for nexttimeretrieval. • The prefetched information is stored as .pffilesin C:\Windows\Prefetch folder • Key: ControlSet###\Control\SessionManager\MemoryManagement\ PrefetchParameters • EnablePrefetcher • 0 = Prefetch is disabled • 1 = Applicationonly • 2 = Bootonly • 3 = Application and Bootenabled Order File 3 File 2 File 1

Prefetch parameters Prefetch configuration

2- Security • Security is a root key in HKLM hive • Stores security info about • Machine • Network settings • Security decriptors for file system object • Policies for passwords, and group memberships • Note: Subkeys of the Security key is not visible in Regedit

SecurityRegistryfile • Permissions: are assigned to files and folders • Full control • Modify • Read and Execute • Read • Write • Special Permissions • Rights: are assigned to Users and groups to permit specific users to input changes, like system date and time. • Policies can be applied to users or computer configurations. • User policy: e.g Like password policy requiring Certain lenghts and charachters. • Computer policy: restriction of using certain application on a bussiness computer.

The SecurityRegistryfile • Microsoft designed tools to edit the information for: • Group policy • Security policy • Active Directory (used for editing the system which is on a domain) • Note: It is not recommended to edit the security file and permissions without tools.(cause to change a part of a group) • Real passwordsarestored in an encrypted format, not as hashes! Unlike the storingofhashes as seen in SAM file. • Password • localmachine • Security\Policy\Secrets\DefaultPassword • Domain • Security\Cache subkey • Valuenamesare from NL$1toNL$10

Security\Passwordcaching • The security file provides password caching • Password caching can be turned off by changing the value of ”cachedlogonscount ” in the subkey • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon • Default value = 10 decimal • Must be administrator to access

To recovercashedpasswords Local passwords are stored in following path: Security\Policy\secrets\defaultPassword Old and current local password • Export the SECURITY and SYSTEM registry files • Drop the SECURITY file into PRTK • Point to the Syskey in the SYSTEM file 4. No levels or dictionaries are required It’s not for sure that the methodworks.It’sdepending onWindow versions.

3- SOFTWARE (OS inf) • SOFTWAREis a rootkey in HKLM hive • Settings for software • Remember: Individualuser’ssettingsarestored in NTUSER.DAT • SOFTWARE\Microsoftsubkeyhave information aboutevery Microsoft applicationincluding OS • Windows itself is recognised as a software application • OS information is found in,SOFTWARE\Microsoft\Windows NT\CurrentVersion

OS info: Software\Microsoft\Windows NT\CurrentVersion • Info about the OS • ProductName • Installation date and time • RegisteredOrganisation • RegisteredOwner • Service Pack • .. .

Uninstalled Software • Installed application: • subkeys under its name in SOFTWARE file • Uninstalled application: • it will be removed from this location. • Many programs can’t remove every thing after being installed. • Some times remainders are left. • E,g: PGP leaves user’s public/private keysets.

Uninstalled Software 1- Information can be left in MasterFileTable ($MFT). 2- Search for uninstalled software in FTK: • Index search in FTK for application keywords and company name • Search-functions in Registry Viewer. • Search for subkey headers and value headers in FTK Imager 3- Install the searched software on a clean system and see what traces it will give

Uninstall\<application> registrySlack space can contain information about uninstalled applications. Land clusters, typically 4 KB (NTFS) (8 pcs. 512 byte sectors) Clusters with a saved file Clusters with a deleted file The file is still there while the reference to the cluster is deleted in the MFT (Master File Table), The cluster ports in the list of clusters that can be used for storage Cluster with a new file (gray) saved Remainders of old file is still in the cluster Example 10 kB file with 2 kB of slack space 4 kB 4 kB

Uninstall\<application> • To viewcurrentlyexistapplication: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<application> • Contains information aboutapplicationsthatcurrentlyexist in the system • May have registered username • Install date and time • Pointers to the application and itsuninstall program thatwasproperlyuninstalled and had standard unistalled setup. • Version numbers • Information aboutupdatesof Windows system • And more… .

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ <application>

Autostart locations • Autostart application run automatically without user interaction. • Autostart location allow such applications to be launched. • Three different caterogies, that applications or excutable files are automaticly accessed are: • system boot • user logs in • Files accessed when a user performes some activity • Two broad classifications for startups • Global startups, stored at:SOFTWARE\Microsoft\Windows\CurrentVersion\<runtype> • User-specific startups, stored at:NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\<runtype>

Autostart locations • Runtypes that can be associated with the startup subkeys are, • Run, RunOnce, RunOnceEx, RunServices, RunServiceOnce • Run key: to run applications during boot. normally ignored if bootin into safe mode. • Run Once key: is prefixed with an asterisk (*) and program will run from safe mode • Run OnceEX: allow multiple processes to run without creating separate processes. Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001 RunMyApp = ”||notepad.exe” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ \RunOnceEx\001 Entry1 = ”MyApp1.exe” EntryX = ”MyApp2.exe”

Automatically starting Windows services • Services that automatically start during system boot • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service • Services that are set to start automatically (start value 0x02) are launched

User login Registrykeysthatare accessed and parsedduring a user login are (in order), The keyswill be updatedwith the user login. • HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run • HKLM\Software\Microsoft\Windows\CurrentVersion\Run • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run • HKCU\Software\Microsoft\Windows\CurrentVersion\Run • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Someuseractivities • HKEY_LOCAL_MACHINE\Software\Microsoft\Command processor\AutoRun • Lists commands that are run whenever the command processor (cmd.exe) is run • The value is empty by default • Try to set the value to sol.exe and after that run cmd.exe from the menu Start->run! • HKEY_LOCAL_MACHINE\Software\Classes\Exefile\Shell\Open\command • This registry key as well as the keys for other classes of files (batfile, comfile, and so on) • control what happends when that class of file is opened, by double-clicking or right-clicking and choosing open • Entries in this key should contain simply ”%1”%* and nothing else

MoreUseractivity • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs • The AppInit_DLLs key is extremely effective as a hiding place for malware. • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ • Entries beneath this key point to DLLs that receive notifications of certain events • Many malwares uses this key’s functionality • Good idea to sort the subkeys beneath Notify based on their LastWrite times • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options • The purpose is for connecting a debugger to a program • Try to create subkey notepad.exe • add to the subkey a string value called Debugg • give it the value c:\windows\system32\cmd.exe • Try to run the Notepad application!

UserbehaviorAnalysis • A number of keys can be used to track user activity • This keys can be found in the NTUSER.DAT file for the user when a user performs specific actions. • User behavior analysisis used to determine the investigation differentiate between an intentional pattern of behavior or a more accidental incident. By studying NTUSER.DAT file.

Typed URLs NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs • Typed URLs is a registry to track the addresses were typed into IE Browser’s address bar. • Keeps 25 latest addresses. • Entries are tracked with numbering system of URL1-URL25. • Typed URLs won’t be update until IE exit.

IE Info – Main Subkey • NTUSER.DAT\Software\Microsoft\Internet Explorer\Main • IE stores its setting and activity in NTUSER.DAT • FormSuggestPasswordsAsk : ask user about the storing the password. Yes/No • SaveDirectory : display the last file that was saved using IE browser. • SearchBar: check whether google bar is added. • SearchPage: Record the URL of the Default browser search. • StartPage: Records the Url of the Default browser start page.

The UserAssistkeys • User Assist tracks the applications run in windows. • Keeps a session count for each application. • Tracks the last excution date and time. • Not always reliable data!! • The specific keys we’re interested in are located beneath the following key path in the user’s NTUSER.DAT file • Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

The UserAssistkeys • Data is encrypted with ROT13 by default • ROT13 = Rotate 13 • “a” becomes “n”, “b” becomes “0” • English characters are encrypted, not numbers and punctuations.(so subkey value has a distinctive look) • Registry viewer will decrypt the ROT13 entries in the key properties box and will recover them.

The UserAssistkeys • User Assist uses two GUID values to track data. • {5E6AB780-7743-11CF-A12B-00AA004AE837} • Tracks Internet favorite informationin the count subkey • {75048700-EF1F-11d0-9888-006097DEACF9} • Tracks applications oppened directly or via shortcuts. • Session Number – 369 offset 0-3 • Use count offset 4-7 • 64 bit date/time – offset 8-15 • 1/22/2008-16:18:44 UTC • Note: After first time application launched use count will have value 6 so we must subtract 5 from value.

MRU lists • Manyapplicationsmaintain an MRU list, which is a list offilesthathavebeenmostrecently accessed. • Perhaps the mostwell-known (and all-inclusive) MRU list Registrykey is the RecentDocskey: • \Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs • Values = binary data types. • Interestingvalueshavenames and numbers and MRUListExvalue : • numberedvaluenamescontain the namesof the files accessed (in Unicode), • MRUListExkeymaintains the order in whichtheywereaccessed (as DWORDs). • RecentDoccontainssubkeyswith the name or file extensions thatwasopen • E.g : .doc, .txt, .html, etc

MRU lists Another popularMRUListcan be found in the RunMRUkey: • Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU • Entriesareaddedtothiskeywhen a userclicks the Start button, choosesRun, and types a command, nameof a file, or the like. Another keysimilarto the RunMRUkey is the TypedURLskey: • Software\Microsoft\Internet Explorer\TypedURLs • The TypedURLskeymaintains a list of the URLs that the usertypesinto the Address bar in Internet Explorer • This information can be combinedwith the Temporary Internet Filesto show whichWeb sites werevisited by clicking a linkand thosethat the usertyped in by hand

MRU lists Yetanotherlocation for MRU list can be found in the followingkey: • \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU • Thiskeymaintains MRU lists offilesopened via Open and SaveAsdialogs within the Windows shell. • Similarto the RecentDocskey, the OpenSaveMRUkeyalsomaintainssubkeysofspecificfileextendsionsthathavebeenopened or saved. • The information can be usefulto show the useof an external storagedevice.. . Yetanother MRU list can be foundbeneath the followingkey: • Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts • The subkeysbeneaththiskeycorrespondto extensions for filesthathavebeenopened on the system. • Values : OpenWithProgID and OpenWithListtell the system whatapplicationtousetoopen a filewiththat extensionwhen the userdouble clicksthe file

Search Assistant • When a user clicks the Start button in Windows XP and chooses Search, then chooses For Files and Folders, the search terms entered into the dialog box are stored in the following key • Software\Microsoft\Search Assistant\ACMru • The subkey 5001 contains the MRU list for Internet search Assistant • The subkey 5603 contains the MRU list for Windows XP files • The subkey 5604 contains the MRU list for ”word or phrase in a file” dialog box • The subkey 5647 maintains the MRU list for the computers entered via the ”for computers or people” selection in the Search Result dialog

Connectingtoother systems • When the user uses the Map Network Drive Wizard • (right-click the My Computer icon and choose Map Network Drive…) • to connect to remote system, an MRU list created beneath the following key; • Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU • Whether the user uses the Map Network Drive Wizard or the net use command, the volumes the user added to the system will appear in the following key: • Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Recycle Bin • Settings for the recycle bin are in,Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket • Settings,UseGlobalSettings, 0 = turn of global settings, 1 = use global settingsPercent, Percent of the drive that can be used for the bin, normal 10%NukeOnDelete, 0 = Do not bypass the bin, 1 = bypass the bin

Windows 7 Registry OS Artifacts—RegistryVirtualization • Location of the registry hive file for the VirtualStore Is NOT the user’s NTUSER.DAT • It is stored in the user’s UsrClass.dat \Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat • Investigation of 7-Vista -Windows 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account. - NTUSER.DAT - UsrClass.dat

OS Artifacts - Libraries • \Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.

OS Artifacts—VolumeShadow Copy • Volume shadow copies are bit level differential backups of a volume. • 16 KB blocks. • Copy on write. • Volume Shadow copy “files” are “difference” files. • The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2. • “Difference files” reside in the System Volume Informationfolder.

OS Artifacts—VolumeShadow Copy • Shadow copies are the source data for Restore Points and the Restore Previous Versions features. • Used in backup operations. • Shadow copies provide a “snapshot” of a volume at a particular time. • Shadow copies can show how files have been altered. • Shadow copies can retain data that has later been deleted, wiped, or encrypted.

VSS: Volume shadow copy service, "Previous Versions."

Lecture 4

Lecture 4

Presentation Transcript

Lecture 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

LECTURE # 4

Lecture 4

Lecture 4

LECTURE 4

LECTURE 4

Lecture 4

Lecture 4

Lecture 4

Lecture 4

LECTURE № 4