Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACCESSDATA® FORENSICS Windows 7 Registry Artifacts

Published byKevin Chester Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "ACCESSDATA® FORENSICS Windows 7 Registry Artifacts"— Presentation transcript:

1 ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
Introduction ACCESSDATA® FORENSICS Windows 7 Registry Artifacts Forensic Analysis Incident Response eDiscovery Information Assurance

2 Module Objectives Registry files of forensic importance NTUSER.DAT SAM
SYSTEM SOFTWARE SECURITY

3 NTUSER.DAT – Typed URLs Addresses either typed or copied into the Browser address bar Tracks up to the last 25 entered Last one entered is on top

4 MRUs – Recent Docs Stored by extension Stores last 10 of each extension type (0-9) Creates new extension subkey if new file type

5 Windows 7 Displays 5 subkey sets
MRUs – ComDlg32 Windows 7 Displays 5 subkey sets CIDSizeMRU FirstFolder LastVisitedPidlMRU LastVisitedPidlMRULegacy OpenSavePidlMRU

6 ComDlg32 – CIDSizeMRU This subkey track applications globally
592 byte values Little data beyond the application name/extension

7 ComDlg32 – FirstFolder Tracks the general install location of applications In some instances, will point to a user location

8 ComDlg32 – LastVisitedPidlMRU
Tracks application used to access a file Tracks location file existed It does not track the specific file Registry Viewer.exe: J:\ _WIN7 3 Day\ test regback

9 Legacy tracks 32 bit application data
LastVisitedPidlMRULegacy Windows Legacy tracks 32 bit application data

10 Note: The MRU list is stored in hex while the value name is in decimal
MRUs – ComDlg32 Stored by extension Stores last 20 (0-19) Creates new extension subkey if new file type Note: The MRU list is stored in hex while the value name is in decimal

11 ComDlg32 – OpenSavePidlMRU
It makes a difference to these values as to where the document was External Drives show drive letter at offset 23

12 ComDlg32 – OpenSavePidlMRU
User created locations are also displayed at offset 23 However known paths to Windows are not displayed This file was stored at My Documents

13 This was a document on the “Desktop”
ComDlg32 – OpenSavePidlMRU This was a document on the “Desktop” It archives the path statement from there without identifying the Desktop origins This was in “My Documents” and the 12,560 byte value identifies the full path at the end Paths are relative; This file was off the Desktop and the path statement starts with the first folder from the Desktop Many use a GUID to designate the application and GUIDs for the path statement General behavior: if no value exists will create. If one does exist, will modify path accessed

14 Pointer to an Item Identifier List
PIDL Shell Folders User Created Folders PIDL – Pointer to an Item Identifier List MS has virtual or “shell” folders My Computer My Documents Stored with a series of values (Item IDs - each object) rather than a path as they don’t exist in the file system

15 MRUs – RunMRUs Stored commands from the Run box Stores last 10 (a-j)

16 MRUs – MS Office 2007 / 2010 File MRU in Office 2007 records 50 of the last accessed docs Functional in Excel, PowerPoint, and Word (2010 included Access)

17 MRUs - MS Office 2007 / 2010 Office 2007 has a date / time identifier in the MRU 64-bit Windows date / time stamp identifying: Excel – Last opened by user PowerPoint – Last saved by user Word – Last opened by user Note: This date stamp is stored in Unicode and in a Big Endian format. Registry Viewer currently does not have a converter that can read the values.

18 Copy and decode the format to view the date / time of save
MRUs – MS Office 2007 / 2010 Copy and decode the format to view the date / time of save

19 Windows 7 – Start > Searches

20 Windows 7 – Start > Searches
Set the folders to index at: Control Panel > Indexing Options Registry WorkingSetRules displays both default and user created index locations

21 TypedPaths – Windows Explorer
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

22 Windows 7 – UserAssist Different GUIDs from previous versions
CEBFF5CD-ACE2-4F4F F41749EA F4E57C4B F0-A9AB-443BCFE33D9F GUIDs also used to identify paths Offsets have changed Number of application launches Last date/time launched Session ID has been removed The count value now starts at “1” instead of “5”

23 Windows 7 – UserAssist Different GUIDs for the Count Subkeys
ROT13 Encryption Date and Time of Last Launch – Offsets 60-67 Number of Launches – Offsets 4-7

24 Protected Storage Storage1 – Queries and Form data Storage2 – Stored Logon Passwords

25 Data Protection Application Programming Interface
Protected Storage Encrypted using the Windows DPAPI Cryptographic system uses: User’s logon password Protect folder URL or query header Data Protection Application Programming Interface

26 Cracking Protected Storage DPAPI
Export from Image: NTUSER.DAT of suspect (stored encrypted data) SAM and SYSTEM Files (for logon password) Low History index.dat file (for website passwords) User’s Protect folder (DPAPI encryption keys) Attack user’s logon password Dropping the SAM file into PRTK Point PRTK to the SYSTEM file Create an empty text file to parse results to

27 NTUSER.DAT Protected Storage Attack - PRTK
Cracking Protected Storage DPAPI NTUSER.DAT Protected Storage Attack - PRTK Protect Folder Logon Password index.dat History Results - Text File

28 UsrClass.dat - MuiCache
Windows 7 Windows XP

29 D&T Synch via Internet – File Sys

30 SYSTEM\ControlSet###\services\W32Time\Parameters / Type
D&T Synch via Internet - Registry Type = NTP (enabled) Type = NoSync (disabled) SYSTEM\ControlSet###\services\W32Time\Parameters / Type

31 Transition to 64-bit Windows
Requires 32-bit backwards compatibility Requires a few tricks to run 32-bit apps File System 32-bit utilities are here: Windows\SysWOW64 System32 contains 64-bit utilities Registry 32-bit keysets are here: Wow6432Node located in these files: NTUSER.DAT SOFTWARE

32 SAM – Multiple Profile Issues
0x F6 = 1014 decimal

33 SAM File Information Resolution of SID to User User Profiles/Names
Password Hint User Tile (user icon)

34 Last Logon Time – Offsets 8-15
SAM File – F Value Properties RID – Offset 48-49 Last Logon Time – Offsets 8-15 Logon Count – Offset 66-67 F Value

35 SAM File – V Value Properties
User Name Description User Full Name V Value

36 SAM File – Groups Administrative tool used to rights to a collection of users Custom Groups are located at: SAM\SAM\Domains\Account\Aliases Useful in corporate investigations to see if a person had specific rights to accomplish a task Or used to determine missing RIDs 1F4 1F5 3E8 3E9 3EA 3EB 3EC 3ED 500 501 1000 1001 1002 1003 1004 1005

37 SYSTEM File Computer Name Mounted Devices Time Zone Information
Last Accessed Date / Time

38 Upon reboot, both values will change
ComputerName Subkey Change of Computer Name ActiveComputerName Upon reboot, both values will change

39 SYSTEM File – MountedDevices
Tracking HDDs in the image The current partition on the physical F Drive The persistent value remains even if the F Drive is overwritten

40 Drive ID listed in Mounted Devices is stored in the MBR at offset 440
SYSTEM File - MountedDevices Drive ID listed in Mounted Devices is stored in the MBR at offset 440

41 SYSTEM File – Time Zone Info
0 = Automatic Adjustment for Daylight Time is Turned ON 1 = Automatic Adjustment for Daylight Time is Turned OFF

42 SYSTEM File – Last Access Date
SYSTEM Registry File

43 Last Access Date/Time 1 = Updating Disabled - Default
0 = Updating Enabled – Changed by User

44 SOFTWARE File Registered Owner Operating System Type
Operating System Installation Date/Time

45 Last Logged On User Last logged on user
Microsoft\Windows\CurrentVersion\Authentication\LogonUI Computer Name User Name Records the last written time as the system powers down

46 SSID – Service Set Identifier
Wireless in Windows 7 SSID – Service Set Identifier \Microsoft\Windows NT\ CurrentVersion\NetworkList\Profiles\<guid> Category 0 = Public 1 = Home 2 = Work Managed 0=Unmanaged 1 = Managed

47 Date and Time Translation
Year Month Day of Week Day of Month Hour Minutes Seconds D E B 00 2A 00 AB 00 2007 June Thu 14th 16 : 27 : 42 NOTE: The time is displayed in local time to the machine 0=Sunday, 1=Monday, 2=Tuesday, etc.

48 MAC Address of remote system’s gateway
Managed versus Unmanaged ProfileName MAC Address of remote system’s gateway Managed: Remote Server Unmanaged: Wireless Router

49 Media Access Control (MAC Address)

50 Date and Time Translation
Before we start, let’s look at the dates and times of the Profiles subkey for comparative purposes The next series of slides will track this Verizon device through the Wireless keys

51 Date and Time Translation
DateCreated: 10/ 21/ 2010 09: 02: 48 DateLastConnected: 01/ 19/ 2011 21: 34: 37 NOTE: This stored date and time is based on local machine time, not UTC

52 The Wireless subkey name is an ID number for the wireless connection
Wireless Registration The Wireless subkey name is an ID number for the wireless connection Because this key is written during the original connection only, it retains the date and time of first connection

53 Note the header before the identifier
Unmanaged The identifier can be traced from the Wireless subkey to the Unmanaged subkey Note the header before the identifier

54 The Unmanaged subkey provides: Profile GUID Description FirstNetwork
DefaultGatewayMac Again, because this subkey is generally written to only during creation, it stores the first connection date and time

55 Profiles Since this key is subject to modification with each new connection, the last written time is indicative of the last connected time as well. The ProfileGuid in Unmanaged points to the devices information in the Profiles subkey

56 Wireless User HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\<guid>

57 At the bottom of the Wpad keys will be a series of MAC addresses
Wireless User At the bottom of the Wpad keys will be a series of MAC addresses Once backtracked to the Unmanaged key, the ProfileGUID will allow checking the other user connections through this device This can be matched up to the MAC addresses listed in the Unmanaged keyset During testing, times did not match exactly but were close for the first connect time

58 Recycle Bin System File NTUSER.DAT File MaxCapacity – MB NukeOnDelete
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume MaxCapacity – MB NukeOnDelete 0=On 1=Off NTUSER.DAT File

59 SECURITY File Old password cache for domain storage Last logged on user password cache

60 Policy\Secrets\DefaultPassword
Password Recovery Current Password Previous Password Policy\Secrets\DefaultPassword

61 Module Review Registry Files of forensic importance NTUSER.DAT SAM
SYSTEM SOFTWARE SECURITY

62

Download ppt "ACCESSDATA® FORENSICS Windows 7 Registry Artifacts"

Similar presentations

Secure File Transfer Protocol (SFTP) With Secure Copy (SC) What is a Secure File Transfer Protocol with Secure Copy???

Secure File Transfer Protocol (SFTP) With Secure Copy (SC) What is a Secure File Transfer Protocol with Secure Copy???
Welcome to Keyboarding Pro DELUXE ® Get Started Get Started Create Your Student Record Create Your Student Record The Main Menu The Main Menu Send Files.

Welcome to Keyboarding Pro DELUXE ® Get Started Get Started Create Your Student Record Create Your Student Record The Main Menu The Main Menu Send Files.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
HNA-Drive Familiarization Presentation. From the address bar in your preferred internet browser, navigate to www.hnadrive.com Site supports: Internet.

HNA-Drive Familiarization Presentation. From the address bar in your preferred internet browser, navigate to Site supports: Internet.
Installing SAS 9.3 Raymond R. Balise Health Research and Policy.

Installing SAS 9.3 Raymond R. Balise Health Research and Policy.
Installing SAS 9.3 Raymond R. Balise Health Research and Policy.

Installing SAS 9.3 Raymond R. Balise Health Research and Policy.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Microsoft Windows Vista Chapter 6 Customizing Your Computer Using the Control Panel.

Microsoft Windows Vista Chapter 6 Customizing Your Computer Using the Control Panel.
The sequence of folders to a file or folder is called a(n) ________.

The sequence of folders to a file or folder is called a(n) ________.
Week:#14 Windows Recovery

Week:#14 Windows Recovery
WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs Using the Taskbar, opening & switching.

WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs Using the Taskbar, opening & switching.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Installing New Software Dean Steichen Sept. 2014.

Installing New Software Dean Steichen Sept
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Operating Systems Day 3. Changing Date & Time 1.Double click on digital clock on the notification area of a task bar (Click start button, Click control.

Operating Systems Day 3. Changing Date & Time 1.Double click on digital clock on the notification area of a task bar (Click start button, Click control.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.

MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Copyright 2007, EMC Paradigm Publishing Inc. WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs.

Copyright 2007, EMC Paradigm Publishing Inc. WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs.

Similar presentations

Ads by Google