1 / 35

Registry Analysis

Registry Analysis. Using regedit.exe System Information Autostart locations USB Removable Storage Devices Mounted Devices Finding Users User Activity Restore Points. System Information. Located in the Current Control Set

elda
Download Presentation

Registry Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Registry Analysis • Using regedit.exe • System Information • Autostart locations • USB Removable Storage Devices • Mounted Devices • Finding Users • User Activity • Restore Points

  2. System Information • Located in the Current Control Set • If the systemm is not active must find the Control Set that was current • Time zone • Shares • Audit policy • Wireless SSIDs

  3. Current Control Set • CurrentControlSet is a volatile portion of the Registry • Which of the 2 or more Control Sets are Current • The following indicate that #1 is current

  4. Time Zone Information • SYSTEM\ControlSet001\Control\TimeZoneInformation

  5. Computer Name HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName

  6. Shutdown Time HKLM\SYSTEM\CurrentControlSet\Control\Windows HKLM\SYSTEM\ControlSet001\Control\Windows Time is measured in the number of 100-nanosecond intervals since 1 January 1601.

  7. Shares • Windows 2K, XP, 2003, and Vista create a number of administrative shares • IPC$ - IPC share • ADMIN$ - shares that refer to the root of dirves C$, D$, etc. • User enabled shares show up in HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares

  8. Wireless SSIDs • XP Laptops maintain a list of service set IDs • The GUID is associated with the wireless interface • Under the Static#000x lists all of the SSIDs connected

  9. SSIDs A different Static#000x for each SSID ever connected to.

  10. SSID Registry Entry At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian. “0b 00 00 00” = 0x 00 00 00 0b = 1110 SSID Length SSID

  11. Autostarts • Applications that are launched without any interaction from the user • Often at boot time • Occasionally upon launch of a app.

  12. Autostart Locations • Auto-start extensibility points (ASEPs) • Registry locations • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • And elsewhere • All over the place

  13. Autostart Locations • Start -> run -> msconfig • Lists some of the acknowledge startups

  14. Startup Locations

  15. Other Startup Locations • System boot • User Login • User Activity • See Carvey’s Ch4 spreadsheet for more locations

  16. System boot • Startup services at boot time are contained in • HKLM\SYSTEM\CurrentControlSet\Services • The services are enumerated with parameters • Should be sorted by LastWriteTime • Only possible in FTK or ProDiscover

  17. ControlSet\Services

  18. Boot Time Apps Start value = 2, the app starts on boot time. Star value != 2 starts on user logon

  19. Evil Start Time Services • Generally LastWrite times should be about the same time the system was built. • Later dates would suggest that an intruder of sysadmin was altering the boot time sequence

  20. User Login • Startup Keys are parsed in order when a user logs in: 1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run 4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run 5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run 6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce • The run keys are ignored if started in Safe Mode

  21. #3 On the Startup List

  22. User Activity • On user action certain registry keys are accessed • Keys for other Classes of files control what happens when that file is opened • Or when the file is double-clicked

  23. Example • Go to: HKLM\Software\Microsoft\CommandProcessor\AutoRun Right click on AutoRun Select Modify Enter sol.exe in the Value data: field. Start -> run -> cmd.exe • This is the how one can modify application behavior • Used by much malware to launch backdoors or an IRCbot

  24. AutoRuns from Sysinternals

  25. Hijacked App

  26. USB Devices • Tracking USB devices • When mounted on Windows they leave • Footprints in the Registry • Artifacts in the setupapi.log file • The PnP Manager queries the device descriptor • Located in the thumb drive’s firmware • Log updated • Creates a Registry Key in HKLM\System\CurrentControlSet\Enum\USBSTOR

  27. USBSTOR Key

  28. Device Held ID Version Model Manufacturer CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61 Unique Instance ID Serial Number Device class ID

  29. System Created Key Manufacturer Model Version Disk&Ven_JMTek&Prod_USBDrive&Rev_7.77 Unique Instance ID No Serial Number Made up by system Device class ID

  30. Device Information • HKLM\SYSTEM\MountedDevices • List of recently Mounted Devices • Look down the list for \DosDevices\ • The REG_BINARY data field should start with 5C 00 3F00 3F 00 • To find which device this is right click on the device • Select Modify

  31. USBSTORE Unique Instance ID Serial Number ParentIdPrefix

  32. USB Devices Tracking • By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline • CurrentUser\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 • May give more information

  33. Mounted Devices

  34. Binary Data in \DosDevices\G: ParentIdPrefix matches the Kingston Traveler in the USBSTORE key

  35. Research Topic • USB devices • Some USB Devices have a Device ID, others do not • Some generate a ParentIdPrefix others do not • Some Correlate to the MountedDevices ID others do not • Sort it out • Use references to the the Microsoft Knowledge Base

More Related