Registry Analysis

Registry Analysis • Using regedit.exe • System Information • Autostart locations • USB Removable Storage Devices • Mounted Devices • Finding Users • User Activity • Restore Points

System Information • Located in the Current Control Set • If the systemm is not active must find the Control Set that was current • Time zone • Shares • Audit policy • Wireless SSIDs

Current Control Set • CurrentControlSet is a volatile portion of the Registry • Which of the 2 or more Control Sets are Current • The following indicate that #1 is current

Time Zone Information • SYSTEM\ControlSet001\Control\TimeZoneInformation

Computer Name HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName

Shutdown Time HKLM\SYSTEM\CurrentControlSet\Control\Windows HKLM\SYSTEM\ControlSet001\Control\Windows Time is measured in the number of 100-nanosecond intervals since 1 January 1601.

Shares • Windows 2K, XP, 2003, and Vista create a number of administrative shares • IPC$ - IPC share • ADMIN$ - shares that refer to the root of dirves C$, D$, etc. • User enabled shares show up in HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares

NetworkList - Profiles

NetworkList - Signatures

Wireless SSIDs • XP Laptops maintain a list of service set IDs • The GUID is associated with the wireless interface • Under the Static#000x lists all of the SSIDs connected

SSIDs A different Static#000x for each SSID ever connected to.

SSID Registry Entry At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian. “0b 00 00 00” = 0x 00 00 00 0b = 1110 SSID Length SSID

Autostarts • Applications that are launched without any interaction from the user • Often at boot time • Occasionally upon launch of a app.

Autostart Locations • Auto-start extensibility points (ASEPs) • Registry locations • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • And elsewhere • All over the place

Autostart Locations • Start -> run -> msconfig • Lists some of the acknowledge startups

Startup Locations

Other Startup Locations • System boot • User Login • User Activity • See Carvey’s Ch4 spreadsheet for more locations

System boot • Startup services at boot time are contained in • HKLM\SYSTEM\CurrentControlSet\Services • The services are enumerated with parameters • Should be sorted by LastWriteTime • Only possible in FTK or ProDiscover

ControlSet\Services

Boot Time Apps Start value = 2, the app starts on boot time. Star value != 2 starts on user logon

Evil Start Time Services • Generally LastWrite times should be about the same time the system was built. • Later dates would suggest that an intruder of sysadmin was altering the boot time sequence

User Login • Startup Keys are parsed in order when a user logs in: 1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run 4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run 5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run 6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce • The run keys are ignored if started in Safe Mode

#3 On the Startup List

User Activity • On user action certain registry keys are accessed • Keys for other Classes of files control what happens when that file is opened • Or when the file is double-clicked

Example • Go to: HKLM\Software\Microsoft\CommandProcessor\AutoRun Right click on AutoRun Select Modify Enter sol.exe in the Value data: field. Start -> run -> cmd.exe • This is the how one can modify application behavior • Used by much malware to launch backdoors or an IRCbot

AutoRuns from Sysinternals

Hijacked App

USB Devices • Tracking USB devices • When mounted on Windows they leave • Footprints in the Registry • Artifacts in the setupapi.log file • The PnP Manager queries the device descriptor • Located in the thumb drive’s firmware • Log updated • Creates a Registry Key in HKLM\System\CurrentControlSet\Enum\USBSTOR

USBSTOR Key

Device Held ID Version Model Manufacturer CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61 Unique Instance ID Serial Number Device class ID

System Created Key Manufacturer Model Version Disk&Ven_JMTek&Prod_USBDrive&Rev_7.77 Unique Instance ID No Serial Number Made up by system Device class ID

Device Information • HKLM\SYSTEM\MountedDevices • List of recently Mounted Devices • Look down the list for \DosDevices\ • The REG_BINARY data field should start with 5C 00 3F00 3F 00 • To find which device this is right click on the device • Select Modify

USBSTORE Unique Instance ID Serial Number ParentIdPrefix

USB Devices Tracking • By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline • CurrentUser\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 • May give more information

Mounted Devices

Binary Data in \DosDevices\G: ParentIdPrefix matches the Kingston Traveler in the USBSTORE key

Research Topic • USB devices • Some USB Devices have a Device ID, others do not • Some generate a ParentIdPrefix others do not • Some Correlate to the MountedDevices ID others do not • Sort it out • Use references to the the Microsoft Knowledge Base

Registry Analysis

Registry Analysis

Presentation Transcript

Registry Functions

Windows Registry

Chesapeake Registry

ACTION Registry

The Registry

Haemostasis Registry

Registry cleaner

Study Registry

PARIS Registry

Registry

Registry Cleaner

Applying meta-analysis to trauma registry

PARIS Registry

Registry

Student registry

Check Registry

Registry politics

Registry Analysis

Registry

PET REGISTRY

Patient Registry Software Market Analysis | CMI