1 / 31

Windows R egistry 3

Windows R egistry 3. SYSTEM artifacts SECURITY artifacts SOFTWARE artifacts NTUSER.DAT. The SYSTEM registry file. SYSTEM is a root key in HKEY_LOCAL_MACHINE hive Contains system settings , hardware configurations boot up information device driver configurations

rosati
Download Presentation

Windows R egistry 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Registry 3 SYSTEM artifacts SECURITY artifacts SOFTWARE artifacts NTUSER.DAT

  2. The SYSTEM registry file • SYSTEM is a rootkey in HKEY_LOCAL_MACHINE hive • Contains system settings, • hardware configurations • bootup information • device driver configurations • Connected hardware • operating system settings • Three control sets (001,003,CurrentControSet) • One as backup • Onevolatile, CurrentControlSet • Current Control Foursubkeys • Control: boot and startup options • Enum: device and driver configurations • Hardware profiles: specific info tobooted hardware • Services: list drivers, file system information Backup Volatile Current Control Set

  3. The SYSTEM registry file • The CurrentControlSet • Is a symbolic link to the ControlSet that are usedof the live machine • Volatile • Forensic Importance: • ControlSet ### • Enum • FloppyDiskDrivers – FDC • IDE Drivers – IDE (Integrated Drive Electronics) • LPT – Printer Info – LPTENUM • Storage Drivers – STORAGE

  4. System\ControlSet###\Enum\IDE • IDE – Device model name and device identifier associated here. • Shows HDD • Includes CDROM drives • Lists drives by manufacturer/model number • Provides a device Identifier for each Western Digital HDD

  5. The SYSTEM\Select subkey • The Select subkey defines which control set is active • The Select subkey contains the values • Default, defines which control set will be used • Current, which of the two control sets that was used to boot last time • Failed, the control set that last failed to boot • LastKnownGood, the control set for the last successful logon

  6. Timezone information • Timezone information is important for forensicinvestigations • Data and timescan be handled in different waysof the OS • The settingshaveto be determined prior toforensicsanalysis • Windows uses the timezonesettingstoconvertUTC timesto the localtimebeforedisplaying • NTFS file systems store time in UTC • UTC, Universal CoordinatedTime • UTC is alsoknown as GMT or Greenwich MeanTime. • FAT file systems store time as localtime • Onewaytocorrect the time-settings istoset the investigationmachineto thesame timezonesettings as the suspect’s computer has.

  7. Time Zone Settings in Access Data • Current time zone settings are find in • CurrentControlSet\Control\TimeZoneInformation • Biasthe difference, in minutes, between UTC and local time • StandardNamename associated with the standard time • StandardBiasthe difference between standard time and local time translations, normal zero • StandardStartstart of the “winter time” • DaylightBiasthe value that is added to the standard time to get “summer time” • ActiveTimeBiasThe currently active time bias

  8. Time Zone Settings in Registry The bias is the difference in minutes between UTC and local time. Used during local time translation. String assotiated with standard time on operating system. EST=Eastern Standard Time – can be empty.

  9. Time Zone Settings for examination • Two pieces of information needed before setting up the examination machine: • Time zone setting of the suspect machine • Check for the autocorrect the daylight saving time. • System key shows TimeZoneInformation: • ControlSet###\Control\TimeZoneInformation

  10. Time Zone Settings Important: You are determining whether DST was in use at all, not if it was in effect at the time of seizure! Daylight Savings Time was being used DisableAutoDaylightTimeSetIf this value is present, and set to 1,the user has turned off the autosettings of daylight time In Vista the value always exist andyou have to examinate the value.0 = auto detect / 1 = disabled

  11. Time Zone Settings • If investigativemachinewas set toEastern Timeand the suspect system was set topacificTime, therewould be potentially a three-hourdiscrepancyfrom the actualtime on the suspect system towhat is displayed on the inestigativemachine. • FAT system store the date and time in localtimeas set by the system clock. • NTFS volumestore the date and timeafterfirsttranslating it to UTC, based on the currentsettingof the machine. • FTK prompts the usertoselect a timezone and indicatewhether or not daylightsavingtimeis beingused. • Every NTFS volumehave the timestoredwith no adjustmentmade.

  12. Computer Name • ControllSet###\Control\ComputerName\ComputerName • ControllSet###\Services\EventLog\ComputerName (XP) The Date and Time user registered for installation of the system Computer Name

  13. When is the last shutdowntime? ControlSet###\Control\Windows\ShutdownTime • Normal shutdown From Forensic examination point of veiw • User’s NTUSER.DAT • (last modified date and time) • Regf and first hbin block • (last modified date and time) • SFTWARE (fileupdate) • SYSTEM (fileupdate) • Catastrophic shutdown (crash, pulled plug, other loss of power)

  14. Identificationof an USB device • USB deviceshavetwoassignednumbersfor identification • Uniqueinstanceidentifierthatexists on the hardware deviceitself. It identifies the deviceto the USBSTORsubkey. • ParentIdPrefix (PIP) Number • Generated by Windows XP • Appearsgenerally as a 7& or 8& numberfollowod by seven or eight hexadecimal digits 7& OR 8& Hexadecimal

  15. USB devices • USB removablestoragedevicefootprints:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR • Setupapi.log • MountedDevice Manager

  16. 1- USB RemovableStorageDevices USB removablestoragedevicefootprints:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR • A device class identifier is created the first time the type of device is connected to the computer • A unique instance identifier needs to be created for the specific device • That is the serialnumber of the USB-device

  17. USB Devicesserialnumber • The serial number for USB device can also be found in the Windows Device Manager • Right click MyComputer and select Properies=>Hardware=>Device Manager=> UniversalSerialBusController=>Details, • or run devmgmt.msc as a command to open this page

  18. USB Devicesserialnumber • If you choose Disk Drivers in the Device Manager you will find the manufacturer name of the device • If you select Storage Volumes in the Device Manager you will find the ParentIdPrefix for the device. Look in Details The serial number

  19. 2- Setupapi.log • Another place that USB device leaves track of device and driver. • C:\WINDOWS\SETUPAPI.LOG • C:\WINNT • Includes Values: • Drive Identifier • ParentIDPrefix • HardwareID • CompatibleIDs • ClassGUID • Note: A log file can be manipulated.. . A trace after an installation of a USB thumb drive [2009/01/16 11:11:39 1120.7 Driver Install] .:#-166 Device install function: DIF_INSTALLDEVICE. #I123 Doing full install of "USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00\89900000000000006CB02AC4&0"..: #I121 Device install of "USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00\89900000000000006CB02AC4&0”finished successfully.

  20. 3- MountedDevice Manager Drive Letter: When a USB removablestoragedevice is connectedto a Windows system, it is assigned a drive letter • system\MountedDevices • Two types of links • \??\Volume{GUID} • GUID, Globally Unique Identifier • The link remains even after that the device has been removed • \DosDevices\A: • Links with drive letters are uppdated to the most recent device that has been assigned the drive letter

  21. Last time the devicewasconnected, method 1 • system\ControlSet###\Control\DeviceClasses • Find a Device ID (drive letter): {53f56307-b6bf-11d0-94f2-00a0c91efb8b} • Identifying the devicewithPIP of ”7&1bdff45a” as having the last USB in drive. • Keywith the GUID for the disk interface as name • Choose the subkeythatcontains the serialnumberof the USB-device • ##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#000000000000000000000C18&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} • The LastWritetimeofthiskeycorrespondsto the last time the devicewasconnectedto the system

  22. Last time the devicewasconnected, method 2 • system\ControlSet###\Control\DeviceClasses • Find a dos drive by {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} • Keywith the GUID for the volumedevice interface name • Choose the subkeythatcontains the PIP of the USB-device • ##?#STORAGE#RemovableMedia#8&39056034&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} • The LastWritetimeofthiskeycorrespondsto the last time the devicewasconnectedto the system

  23. USB-device and its drive letter If the device is removed from the G: driveand an other device is inserted that use the G: drive, the previous information vill be overwritten Driver letter The last used device PIP In Vista thePIP isn’t used.The device id isused instead.

  24. Mounted Device • There are \DosDevices entries (in particular \DosDevices\C: )whose data is only 12 bytes (3 DWORD) Partition offset in little endian • First 4byte is for drive signature or volume ID • offset 0x1b8 within the Master Boot Record (MBR) of the hard drive

  25. Has the HardDrivebeenconnectedto the computer? • Search for the harddrive identifier, MBR, offsets 440-443 • Compare with system\MountedDevices\DosDevices\C: Partition offset in little endian If a physical device was divided Into multiple volumes, each \DosDevice\<drive letter> would be identified with the same four-byte identity This two are from same physical device

  26. Othertypesof USB devices (Camera) • Everytypeof USB massstoragedevicewillgivesimularytraces in the registry A device class identifier for a Konica Minolta Dimage Z20 camera

  27. 4- System\Enum\IDE • system\ConrolSet###\Enum\IDE • contains information about units that has been connected to the computer • USBSTOR, USB devices • FDC, Floppy Disk Controller • LPTENUM, printers connected through the LPT port • USBPRINT, printers connected through a USB port • IDE, hardware IDE • .. .

  28. IDE: Hard disk drives • system\ConrolSet###\Enum\IDE • Show the harddisk drives attached to the system • Device type, manufactorer and model information • The device identifier does not associate to the system\MountedDevices subkey • This is accomplished through another identifier stored in the physical drive’s Master Boot Record (MBR)

  29. System\Enum\IDE • system\ConrolSet###\Enum\IDE • Hard disk drives connected to system

  30. TCP IP parameters • In Services TCPIP subkey, information about network connections is saved • ControlSet###\Services\Tcpip\Parameters

More Related