1 / 33

Windows R egistry I

Windows R egistry I. Registry 101 Registry 201 SAM artifacts. Windows Registry. What is windows registry? Core component, hierarchical database Configuration information When user had access, last time system had access, when a file been accessed.

francesjlee
Download Presentation

Windows R egistry I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Registry I Registry 101 Registry 201 SAM artifacts

  2. Windows Registry • What is windows registry? • Core component, hierarchical database • Configuration information • When user had access, last time system had access, when a file been accessed. • Hardware, software, users, applications, date and time • What is registry analysis? • Not just pressing a key and see the result • Purpose of the Windows Registry • What OS and application to do, where to put things and how to react. • Examples: • Clear the pages files when shut down • Launch the game after shutdown and logout.

  3. Registry Editor (regedit) Access : Regedit, reg.exe, Win key+R

  4. Registry function • Lets say you start MS Word and open a document in the recent files • Windows API searches the registry for the Word CLSID identifier in Software file -> CLSID • Windows then accesses Words “recent docs” setting in registry to identify the document • Windows then locates the selected file and open it • A very simplified view!

  5. Investigate Volatile information • Shown up when system is booted up or user logs in. • Must be collected when the system is still running. • HKEY_CURRENCT_USER hive. • Does not exist on acquired image of the system. • Contain VALUE named PROGRAM COUNT • Number of programs you have running on desktop. • HKEY_LOCAL_MACHINE\Hardware • Information regarding the devices connected • Current ControlSet, Current ControlSet00, Current ControlSet01 • HKEY_CLASSES_ROOT • When system boots up: HKEY_LOCAL_MACHINE\Software\Classes • When user logs in: HKEY_CURRENT_USER\Software\Classes

  6. Registry import/export • Registry import • Regedit export (save as type) • Reg files (*.reg) • Key – value pairs • Registry Hive files (*.*no extension) • Binary (for analysis) • Text file backups (*.txt) • Both fTk and fTk imager can export registry files from an image, either • Navigate to them and export • File > obtain protected files • Gets registry files from the running computer

  7. Registry backup • Restore points • Registry and certain system files • C:\System Volume Information • Created every 24h by default • Up to 90 days • R.P. big difference XP vs. Vista http://en.wikipedia.org/wiki/System_Restore • Regedit restore 4 way: • Import • Double click .reg • Right click .reg and merge • Right click .reg and open regedit

  8. Registry • Have permissions based on user privileges (such as NTFS files) • Windows Vista uses C:\WINDOWS\system32\config\regback folder instead of C:\WINDOWS\REPAIR for backups

  9. FTK RV (Registry Viewer) Note that the "tree" structure is the same as in Windows Explorer. Also note: Hive Key / Subkey Values Hex Viewer values Properties pane Q: why is it better to use forensic tools for registry investigation?

  10. FTK Registry Viewer • Registry Viewer search (Edit >…) • Standard search – Quick find • Advanced search – Multiple key hit display • Date search – Search by last written date • Registry Reports (Report > …) • Select keys and add • Types: • HTML • Display key properties • Standard bookmarks show all values • Summary reports allow value selection

  11. Locationof Windows Registry • DOS: Autoexec.bat (software setting) and Config.sys (hardware setting) • Windows 3.x: .ini files • Windows 9x: User.dat, system.dat • Windows XP: SAM, Security, Software, System • Windows Vista: SAM, Security, Software, System and Components UserSpecificInforamtion: • NTUSER.dat • Win 2000, XP, 2003 > documents and setting directory • Win 7 • Users directory • USRCLASS.dat

  12. Registry issues • No checksum or ability to self repair • No ability to boot if corrupted • No ability to edit if not booted • No ability to transfer settings (hive files) to another system • .reg files are ok • System uses GUI interface for standard user access • Not the most user friendly or efficient interface …

  13. Forensic registry benefits • MRUs (most-recently-used) • Typed URLs • System users • Installed devices • System time settings • Registered user information • Passwords and hashes • Internet search queries and form data • Date and time information of registry keys updates • Network and wireless setting and connection information Some applications store the password in clear text in registry!

  14. Hives • Hives: • registry root files, contain subkeys • Made up of 4-KB sections or “bins” : regf block, hbin blocks • “Regf”: first four bytes of a normal hive file. To identify the type of registry file. • Every 4096 bytes a “hbin” block. • Name format: HKEY_HIVE_NAME • Often shortened as HKCU, HKLM etc. • H = Handle • HKLM and HKU (real hives, • Are the real hives which are created fromfiles at startup • They create the three other hives as well(alias or linked) regf hbin hbin hbin

  15. Hives • HKU (HKEY_USER) • Contains actively loaded user profiles and settings • Stores information from all users who have ever logged on to the computer • Default user profile • Generates HKCU, HKCC and HKCR HKEY_CURRENT_USER HKEY_USER HKEY_CURRENT_ CONFIG HKEY_CLASSES_ROOT

  16. HKCU (HKEY_CURRENTUSER) • Contains the active current logged on user profile data from NTUSER.DAT • Preferences, profile areas, mapped drives, MRU… etc. • Copied from HKU upon logon • Is sub classed in HKU > SID • The Software subkey is the most interesting one which contains the majority of the information about the user HKEY_CURRENT_USER HKEY_USER HKEY_CURRENT_ CONFIG HKEY_CLASSES_ROOT

  17. HKCU • C:\Document and Settings\<username>\NTUSER.dat • In Vista: C:\Users\<username>\NTUSER.dat • ContainsHKEY_CURRENT_USER hive • information like: • - Open and save files • Wrapped URLs and commands • Note: Sometimes you can find copies of the registry files in \ windows \ repair folder (vista regback)

  18. Common Areas (Favorites)MRU = Most RecentlyUsed Unicode HKCU

  19. HKLM • Contains configuration information for the system (hardware and software) • HARDWARE • Created during boot up • Tracks attached dynamic hardware settings • Volatile - not stored as a file • SAM • Stores logon information about local users • SECURITY • Storage of passwords and other security info • SOFTWARE • Records global application information • SYSTEM • Archives info about hardware and system configuration HKCC HKLM HKCR

  20. HKLM files • Remember (HKLM) each user's profile  NTUSER.DAT

  21. HKCC • Contains data about the hardware profile • Is sub classed in HKLM > SYSTEM > CurrentControlSet > Hardware Profiles > Current • Generally of little forensic interest

  22. HKCR • Contains file extension associations and Class registrations which enable correct application to start for a certain file • Is sub classed in HKLM > Software > Classesand HKCU > Software > Classes • Example: open with option in right click on a file • HKCR per-user settings is mapped to the file system at • C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat • C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat HKLM > Software > Classes subclassed HKCU > Software > Classes • HKLM > Software • Global Setting • User setting • HKCU > Software

  23. View active hives • Navigate to

  24. Hive Block Structure • Registry files are constructed from two types of building blocks • Regf blocks • Hbin blocks

  25. Hive Block Structure • The first block of a Registry file only has a regf header. • The block is 4096 bytes in length • Contains • Header • Last updated date and time (offset 8) • File name and path information (variable size from offset 48) Offset 0-3 regf signature Offset 12-19 last updated date and time

  26. Hive block structure • And a variable number of hbin blocks • Remaining registry blocks (also 4096 bytes size each) • The first hbin block begins after the regf block. • Registry information is stored in hbin blocks. • When one hbin block filled system will make a new hbin block. • The space wont be removed and data is recoveable even after deleting. Offset 0-3 carry a header Offset 20-27 date and time in first block

  27. Hive block structure • Header size of 32 bytes • Hive only grow in size • Each hbin points to the previous hbin block (offset 4-7) • Each hbin points to the next hbin block (offset 8-11) • With an offset, always 0x00100000 (= 4kB in little endian when translated) Last updated offset 20-27, only first hbin hbin hbin hbin 0x00001000 0x00002000 0x00000000 0x00003000 File adress regf 0x00100000 0x00200000 Point to Header 0-3 Offset ptr prev 4-7 Offset ptr next 8-11 BE [00][10][00][00] LE [00][00][10][00]

  28. Registry key cell structure • Each hbin blocks stores the actual registry information (keys, subkeys, values and data) • There are 7 types of cells in the hbin block • nk – key name points to parent key and child keys/values • If – subkey list (lh in some versions of XP) • vk – key value, contains type and pointer to data • sk – security key, contains Windows security descriptor • Value list (no header/signature), simple list of pointers to value records • Class information (no header/signature) • Data (no header/signature), variable length raw value data Key names are likely to be the moste important forensic evidence of this group Note! Key names are reversed here because of endianess

  29. Registry key cell structure

  30. Registry value cell structure

  31. Registry Value types

  32. Resources: • http://technet.microsoft.com/en-us/library/cc750583.aspx • http://pogostick.net/~pnh/ntpasswd/

More Related