1! Registry Understanding the Windows Registry! A database that stores hardware and software configuration information, network connections, user preferences, and setup information Windows System Artifacts COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555! To view the Registry, you can use:! Regedit (Registry Editor) program for Windows 9x systems! Regedt32 for later versions 2 Organization of the Windows Registry! Registry terminology:! Registry! Registry Editor! HKEY! Key! Subkey! Branch! Value! Default value! Hives 3 Windows Registry Viewer
4 Configuration Files in Windows 9x/Me 5 Configuration Files in NT/2000/XP/Vista Filename and location Windows\System.dat Purpose User-protected storage area; contains installed program settings, usernames and passwords associated with installed programs, and system settings Filename and location Documents and Settings\useraccount\Ntuser.dat Purpose User-protected storage area; contains the MRU files list and desktop configuration settings Winnt\system32\config\Default Contains the computer s system settings Windows\User.dat Windows\profile\user-account Contains the most recently used (MRU) files list and desktop configuration settings; every user account created on the system has its own user data file Winnt\system32\config\SAM Winnt\system32\config \Security Winnt\system32\config \Software Contains user account management and security settings Contains the computer s security settings Contains installed program settings and associated usernames and paswords Winnt\system32\config\System Contains additional computer system settings 6 HKEY HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHIN E (HKLM) HKEY_USERS (HKU) HKEY_CURRENT_CON FIG (HKCC) HKEY_DYN_DATA (HKDD) Function Typical HKEYs Symbolic link to HKEY_LOCAL_MACHINE \SOFTWARE\Classes; provides file type and file extension information, URL protocol prefixes, etc. Symbolic link to HKEY_USERS; stores settings for the currently logged-on user Contains information about installed hardware and software Stores information for the users; only one key in this HKEY is linked to HKEY_CURRENT_USER Symbolic link to HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\HardwareProfile\xxxx (with xxxx representing current hardware profile); contains hardware configuration settings Used only in Windows 9x/Me systems; stores hardware configuration setttings 7 A Few Interesting Places! Use ProDiscover Basic to extract the Registry related files from an image! Use AccessData Registry Viewer to see what information you can find in these files! System Hive: HLKM\SYSTEM! Running services: CurrentControlSet\Services! Software Hive: HKLM\SOFTWARE! Installed application: keys at hive root! Install info: Microsoft\Windows\CurrentVersion\Uninstall! Check \Software\Microsoft\Windows\CurrentVersion\Uninstall in NTUSER.DAT hive for user-specific application installs
8 A Few Interesting Places! Software Hive: HKLM\SOFTWARE! File extension analysis: subkeys in the Classes key! useful for standalone applications (that do not appear in the Registry)! Network list: Microsoft\Windows NT\CurrentVersion \NetworkList\Signatures! Follow up using GUID on: NetworkList\Profiles! Scheduled tasks: Tree\Microsoft\Windows in Windows 7, or Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache earlier 9 A Few Interesting Places! User Hive: HKCU\ or HKU\<profile id>! NTUSER.DAT and USRCLASS.DAT! Search in Start Menu: Software\Microsoft\Windows \CurrentVersion\Explorer\WordWheelQuery! Key ACMru in Windows XP! Recently executed programs: Local Settings\Software \Microsoft\Windows\Shell\MUICache! User activity: Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist! Recent documents: Software\Microsoft\Windows \CurrentVersion\Explorer\RecentDocs 10! Events occur on a system all the time! System restore points are created (every 24 hours)! Hard drive is de-fragmented (every three days)! Files are created, modified, and deleted! Registry keys and values are created by applications!! Many of these events are logged in multiple places across the system Timelines! A timeline is a summary of these events ordered by time 11 Creating Timelines! You may begin with a timeline of all events in the system! Collect all activities with time stamps! Scan through them to find what is meaningful! Build a timeline a layer at a time based on the goals of the analysis! Begin with activity logs that might be related to the event in question! Add more data sources to bring the available context into focus! Time data in some places may be easily mutable; may not be in others
12! 64-bit FILENAME format Time Formats! number of 100-nanosecond intervals since January 1, 1601! 32-bit Unix format! number of seconds since January 1, 1970 relative to UTC time zone! String format! 01/02/2010 2:00 PM (local time zone)! Windows SYSTEMTIME format! 8x32-bit structure encoding (year, month, day-of-week, day, hour, minute, second, millisecond)! Application s own format 13! Time: when did en event occur? Parts of a Timeline Entry! Source: from where is this entry extracted?! The data source! File system, registry, log file, etc.! System: some form of device identifier! Hostname, IP address, MAC address, etc.! User: user associated with the event! Depends on whether user information is available in the time-stamped data! Description: brief description of the event! Warning, info, error messages from log files 14! File System metadata! Event logs! Prefetch files! Jump lists (Windows 7)! Recycle bin! Registry Data Sources 15 File System Metadata! Standard Information attribute (0x10) has four timestamps! MACE: file Modified, file Accessed, file Created, MFT Entry modified! Filename attribute (0x30) also has same four timestamps! But times here correspond to the time of first creation, access or modification! Time-stamps in standard information attribute can never be earlier than those in filename attribute
16 NTFS Time Handling! Last access times can be delayed by up to an hour! In order to improve performance in high-volume file servers! Updates can be fully disabled by creating a registry entry! Create NtfsDisableLastAccessUpdate=1 in HKLM\SYSTEM \CurrentControlSet\Control\FileSystem 17 Event Logs! Windows records details of events in special log files! Special binary format in Windows 2000/XP/2003! Magic number: LfLe at offset 0x4 of each record! Four bytes prior to magic number is record size! Binary XML format in Windows Vista/7! File system tunneling! FAT and NTFS reuses file metadata if a file is deleted and immediately (within 15 seconds) recreated! Affects: delete(a)/create(a), delete(a)/rename(b,a), rename(a,b)/create(a), rename(a,b)/rename(c,a)! Change time interval in registry! Create MaximumTunnelEntryAgeInSeconds=<time> in HKLM \SYSTEM\CurrentControlSet\Control\FileSystem! Types of logs! Application: events logged by programs! E.g. database program logging a file error! Security: logon auditing and system resource use! E.g. valid invalid login attempts, creation/deletion/access of files! System: logs from system components! E.g. unable to load a driver 18! Date and time of event! User and host! Event ID! a number signifying the event! www.eventid.net Event Log Entries! www.ultimatewindowssecurity.com/securitylog/encyclopedia/! Source of event! Type! Error, warning, information, success audit, or failure audit 19 Log File Location! Before Windows Vista, log file locations are specified in the registry! HKLM\System\CurrentControlSet\Services\EventLog! Three subfolders: System, Application and Security! FILE entry shows path to log files! Default: C:\Windows\System32\Config! Starting with Vista! HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\! Default FILE value C:\Windows\System32\Winevt\Logs! Also has a Setup event log! Logs application setup information
20! Windows XP binary formats Tools for Log File Analysis! Mount acquired image in a professional tool (e.g. ProDiscover) and use in-built event viewer! Obtain the event log file and extract event records! XML format! Microsoft Logparser tool 21! Prefetching! Often an application is loaded in parts Prefetch Files! The disk is accessed for those parts as and when they are needed! Keeping a trace of the loading process helps quicken the application startup! By collectively loading the required parts before they are needed! Windows keeps a trace of what parts of the application files are loaded in prefetch files!.pf files in C:\Windows\Prefetch! NTOSBOOT-B00FAAD.pf special prefetch file for Windows boot process 22 Forensic Value of Prefetch Files! Run count! Number of times application has been run! Volume! Identity of media storage device! Last run time! The last time the application was run! Files! Files and directories used during the application s startup 23! Link to another file/folder on the system! Is itself a file, so has its own time stamps Windows Shortcuts! Also encodes snapshot of target MACE times before it was last opened! Also encodes size of target file before it was last opened! Offsets for this data in the prefetch files are different in Windows XP and Windows 7! See reference page
24! List of recently opened files in a given application! Introduced in Windows 7! Right click on program icon in TaskBar to see the list! Stored in the user s directory! AppData\Roaming\Microsoft\Windows\Recent \AutomaticDestinations! File extension.automaticdestinations-ms! File name are special identifiers of programs! E.g. adecfb853d77462a is MS Word 2007 Jump Lists 25 Jump List Format! Uses structured storage file format (OLE compound)! Entries are called jump list streams! Jump list streams have same format as Windows shortcuts! All information you can obtain from shortcuts are also available here! They can also hold command line options in certain programs! E.g. C:\Windows\System32\mstsc.exe /v:``192.168.1.24`` in the Terminal Services Client! The DestList stream stores time-stamps when the other streams were accessed (useful for sorting) 26! A temporary place for deleted files! Windows XP! RECYCLER directory Recycle Bin! Deleted file moved to a subdirectory named according to user identifier! Name changed: starts with D, followed by drive letter, then a number! Windows Vista and 7! Hidden $Recycle.Bin directory! Name changed: $R, followed by six characters 27! Windows XP! Special INFO2 file maintains an index of! Original filename! Location of deleted file! When file was deleted! www.csisite.net/downloads/info2.pdf! Windows Vista and 7 Recycle Bin INFO File! One file (544 bytes) starting with $I for each deleted file! Has data similar to INFO2, but for just one file! http://www.forensicfocus.com/forensic-analysis-vista-recycle-bin
28! System Restore Points! C:\System Volume Information\_restore{ Backed Up Files! Backups registry, system files and application executables! System restores are logged! http://windowsir.blogspot.com/2006/10/restore-point-forensics.html! Volume Shadow Copies! A backup of every block of the partition! Allows one to restore individual files! Tools like vssadmin and mklink allow you to list and mount shadow copies 29! Hiberfil.sys Hibernation Files! Compressed contents of Windows memory when the system goes to sleep! May contain processes and network connections from some point in the past! Will have to know how running programs are stored by Windows in memory! A.k.a Memory Forensics 30 References! Ch 6: B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations! File system tunneling: http://support.microsoft.com/kb/ q172190! Event logs (Windows XP): http://support.microsoft.com/kb/ 308427! Prefetch file format: http://www.forensicswiki.org/wiki/ Prefetch! Jump list IDs: http://www.forensicswiki.org/wiki/ List_of_Jump_List_IDs! THE INTERNET