370 likes | 537 Views
Registry Analysis. Using regedit.exe System Information Autostart locations USB Removable Storage Devices Mounted Devices Finding Users User Activity Restore Points. System Information. Located in the Current Control Set
E N D
Registry Analysis • Using regedit.exe • System Information • Autostart locations • USB Removable Storage Devices • Mounted Devices • Finding Users • User Activity • Restore Points
System Information • Located in the Current Control Set • If the systemm is not active must find the Control Set that was current • Time zone • Shares • Audit policy • Wireless SSIDs
Current Control Set • CurrentControlSet is a volatile portion of the Registry • Which of the 2 or more Control Sets are Current • The following indicate that #1 is current
Time Zone Information • SYSTEM\ControlSet001\Control\TimeZoneInformation
Computer Name HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName
Shutdown Time HKLM\SYSTEM\CurrentControlSet\Control\Windows HKLM\SYSTEM\ControlSet001\Control\Windows Time is measured in the number of 100-nanosecond intervals since 1 January 1601.
Shares • Windows 2K, XP, 2003, and Vista create a number of administrative shares • IPC$ - IPC share • ADMIN$ - shares that refer to the root of dirves C$, D$, etc. • User enabled shares show up in HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares
Wireless SSIDs • XP Laptops maintain a list of service set IDs • The GUID is associated with the wireless interface • Under the Static#000x lists all of the SSIDs connected
SSIDs A different Static#000x for each SSID ever connected to.
SSID Registry Entry At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian. “0b 00 00 00” = 0x 00 00 00 0b = 1110 SSID Length SSID
Autostarts • Applications that are launched without any interaction from the user • Often at boot time • Occasionally upon launch of a app.
Autostart Locations • Auto-start extensibility points (ASEPs) • Registry locations • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • And elsewhere • All over the place
Autostart Locations • Start -> run -> msconfig • Lists some of the acknowledge startups
Other Startup Locations • System boot • User Login • User Activity • See Carvey’s Ch4 spreadsheet for more locations
System boot • Startup services at boot time are contained in • HKLM\SYSTEM\CurrentControlSet\Services • The services are enumerated with parameters • Should be sorted by LastWriteTime • Only possible in FTK or ProDiscover
Boot Time Apps Start value = 2, the app starts on boot time. Star value != 2 starts on user logon
Evil Start Time Services • Generally LastWrite times should be about the same time the system was built. • Later dates would suggest that an intruder of sysadmin was altering the boot time sequence
User Login • Startup Keys are parsed in order when a user logs in: 1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run 4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run 5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run 6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce • The run keys are ignored if started in Safe Mode
User Activity • On user action certain registry keys are accessed • Keys for other Classes of files control what happens when that file is opened • Or when the file is double-clicked
Example • Go to: HKLM\Software\Microsoft\CommandProcessor\AutoRun Right click on AutoRun Select Modify Enter sol.exe in the Value data: field. Start -> run -> cmd.exe • This is the how one can modify application behavior • Used by much malware to launch backdoors or an IRCbot
USB Devices • Tracking USB devices • When mounted on Windows they leave • Footprints in the Registry • Artifacts in the setupapi.log file • The PnP Manager queries the device descriptor • Located in the thumb drive’s firmware • Log updated • Creates a Registry Key in HKLM\System\CurrentControlSet\Enum\USBSTOR
Device Held ID Version Model Manufacturer CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61 Unique Instance ID Serial Number Device class ID
System Created Key Manufacturer Model Version Disk&Ven_JMTek&Prod_USBDrive&Rev_7.77 Unique Instance ID No Serial Number Made up by system Device class ID
Device Information • HKLM\SYSTEM\MountedDevices • List of recently Mounted Devices • Look down the list for \DosDevices\ • The REG_BINARY data field should start with 5C 00 3F00 3F 00 • To find which device this is right click on the device • Select Modify
USBSTORE Unique Instance ID Serial Number ParentIdPrefix
USB Devices Tracking • By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline • CurrentUser\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 • May give more information
Binary Data in \DosDevices\G: ParentIdPrefix matches the Kingston Traveler in the USBSTORE key
Research Topic • USB devices • Some USB Devices have a Device ID, others do not • Some generate a ParentIdPrefix others do not • Some Correlate to the MountedDevices ID others do not • Sort it out • Use references to the the Microsoft Knowledge Base