Road to Central Depository DOS – config.sys & autoexec.bat Windows 3.0 – INI file Windows 3.1 – Start of the idea of a central repository Windows 95 and beyond – Establishment and expansion of the registry
Understanding the Windows Registry Registry – A database that stores hardware and software configuration information, network connections, user preferences, and setup information For investigative purposes, the Registry can contain valuable evidence To view the Registry, you can use: – Regedit (Registry Editor) program for Windows 9x systems – Regedt32 for Windows 2000 and XP
Organisation and Terminology At the physical level – Files called hives – Located in: %SYSTEMROOT%\System32\config Keys (analogous to folders) Values (analogous to files) Hierarchy: – Hives Keys – Values
Hive Properties HKEY_USERS – all loaded user data HKEY_CURRENT_USER – currently logged on user (NTUSER.DAT) HKEY_LOCAL_MACHINE – array of software and hardware settings HKEY_CURRENT_CONFIG – hardware and software settings at startup HKEY_CLASSES_ROOT – contains information about application needs to be used to open files
Registry: A Wealth of Information Information that can be recovered include: – System Configuration – Devices on the System – User Names – Personal Settings and Browser Preferences – Web Browsing Activity – Files Opened – Programs Executed – Passwords
Forensic Analysis – User ID SID (security identifier) – Well-known SIDs SID: S-1-0Name: Null Authority SID: S-1-5-2Name: Network – S-1-5-21-2553256115-2633344321-4076599324-1006 Sstring is SID 1revision number 5authority level (from 0 to 5) 21-2553256115-2633344321-4076599324 - domain or local computer identifier 1006RID – Relative identifier Local SAM resolves SID for locally authenticated users (not domain users) – Use recycle bin to check for owners
Windows Security and Relative ID The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group. The Security ID (SID) is used to identify the computer system. The Relative ID (RID) is used to identity the specific user on the computer system. The SID appears as: – S-1-5-21-927890586-3685698554-67682326-1005
Forensics Analysis - NTUSER.DAT Internet Explorer – IE auto logon and password – IE search terms – IE settings – Typed URLs – Auto-complete passwords
Forensics Analysis - NTUSER.DAT IE explorer Typed URLs
Forensic Analysis – MRU List A “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in case the user returns to them in the future. Essentially, their function is similar to how the history and cookies act in a web browser.
Forensic Analysis – Last Opened Application in Windows
Registry Forensics Case Study (Chad Steel: Windows Forensics, Wiley) Department manager alleges that individual copied confidential information on DVD. No DVD burner was issued or found. Laptop was analyzed. Found USB device entry in registry: PLEXTOR DVDR PX-708A Found software key for Nero - Burning ROM in registry Therefore, looked for and found Nero compilation files (.nrc). Found other compilation files, including ISO image files. Image files contained DVD-format and AVI format versions of copyrighted movies. Conclusion: No evidence that company information was burned to disk. However, laptop was used to burn copyrighted material and employee had lied.
Monitoring the Registry The registry is highly complex, and there is not one single point of reference Experimentation allows you as an investigator to find out for yourself what has occurred Real time experimentation helps with post- mortem analysis Regmon (Replaced by Procmon) from Microsoft – Monitors the registry in real time
RegRipper The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista and 7) family of operating systems.
System Time Determined by booting into the BIOS and comparing it with an external source – Radio Signal Clock or Time Server CMOS Clock – Complementary Metal Oxide Semiconductor Chip (CMOS) – Accessed by most OS to determine the time
Operating System Time Is embedded within the file system or high level file metadata Will take into account local time (or not!) Can confuse an investigation depending on tool configuration and time zone Will ask for the time from the BIOS CMOS
Program Time Programs will ask for the time from the OS They can bypass the OS and ask for the time directly from the BIOS It’s important to check and understand where a program gets its time details from.
OS Time – DOS MS DOS time/date Format (FAT File System) Stored as local time Used for MAC information 32 Bit Structure – Seconds (5 bits from offset 0) – Minutes (6 bits from offset 5) – Hours (5 bits from offset 11) – Days (5 bits from offset 16) – Months (4 bits from offset 21) – Years (7 bits from offset 25)
64 Bit Windows FILETIME 64 bit number measuring the number of 100ns intervals since 00:00:00, 1 st Jan, 1601 – 58,000 year lifetime Stored in the MFT – MAC
C/Unix Time 32-bit value Number of seconds elapsed since epoch – 1 st January 1970, 00:00:00 GMT Limit – Monday, December 2 nd, 2030 and 19:42:58 GMT
Local and UTC time translation Coordinated Universal Time (UTC) – Effectively the same as GMT Modern OS calculate the difference between local time and UTC and store the time/date as UTC
Local Time vs UTC 00 DB A2 F7 5C B1 C5 01 (Localtime) – 127703177299680000 00 7B B4 7E 7E B1 C5 01 (GMT) – 127703321299680000 Difference: – 144,000,000,000 Verify: – 3,600 s in 1 hour. 14,400 in 4 hours. – 100 ns = 10 millionth of a s 14,400 * 10,000,000 – = 4 hours
Time and the Registry ME/XP/Vista/Windows 7 – HKEY_Local_Machine/System/Current ControlSet/Control/TimeZoneInformation/Bias ActiveTimeBias – Amount of time (+ or -) to add to UTC – StandardName - Time Zone
C. Boyd, P. Forster, “Time and date issues in forensic computing – a case study”, Digital Investigation, no. 1, pp. 18– 23, 2004
Scenario Email trace identifies an individual suspected of involvement in communication of child abuse images Warrant obtained, and Computer equipment seized Relatively simple examination: – Email traces – Identification of child abuse images
Scenario During examination, the suspect failed to provide an explanation for images The defence employed an expert to comment on the evidence – Supplied with the forensic images of computer – Police Forensic Statement
Expert Report ‘The defendants computer [ID number] was used to access the Internet after it was seized and was in police custody. Approximately 750 records of Internet access are time stamped during the six hours or so after the computer was seized.’ ‘pages accessed included Hotmail login pages and possible child pornography site. Floppy diskettes were also used.’ ‘There is substantial evidence that is consistent with the Defendant’s computer [ID number] being altered while it was in police custody’. ‘However I am sure that there are so many grave problems with this evidence, and with all the computer evidence submitted by the prosecution, that the Court cannot safely rely on it.’
What went wrong? Did the police frame the suspect? Did the examiners commit the sin of booting the system while the machine was in their custody?
Tool/Examiner Error Encase v4 to extract the time bias The system was set to an ofset of 0x00001e1 (+480 minutes) or Pacific Standard Time (PST) NetAnalysis to perform the internet browsing analysis – It was not configured with the correct bias It looked as if the files were opened after the system was in custody.
Checklist for Date/Time Evidence Identify the type of time structure being used to represent local time or UTC Look for corroboration in the form of additional times, dates and activities on the computer and away from it Test your results using the same operating systems and application versions that are present on the computer being examined
Final Thoughts Tools being used were easy to access, but highlighted a lack of fundamental knowledge on the part of the examiner Experimentation and testing are key to strong investigations