ACCESSDATA® FORENSICS Windows 7 Registry Introduction Forensic Analysis Incident Response eDiscovery Information Assurance
Module Objectives Defining the Windows Registry Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting
What is the Registry? Microsoft definition: “…a central hierarchical database used … to store information that is necessary to configure the system for one or more users, applications and hardware devices.”
Forensic Benefits of the Registry MRUs Typed URLs Installed apps Installed devices System time settings Registered user information Passwords and password hashes Internet search queries and form data Network setting and connection information Date and Time information of Registry key updates
Hives – Symbolic Links
Hive Files in the File System C:\Boot HARDWARE built on boot C:\Windows\System32\config C:\Users\%%%%\ C:\Users\%%%%\AppData\Local\Microsoft\Windows BCD started in Vista. Now Vista / Windows 2008 Server according to MS Tech Net article: Now in Windows 7, located in 100 MB System Reserved Partition
Registry Editor Navigation Value Name Data Type Value data Hive Key Sub Key Value
Values Values are associated with subkeys in name-data pairs Stored independently from their subkeys Name Data
Value Types REG_SZ String Value Human readable REG_BINARY Binary Value Machine readable REG_DWORD Number 4 bytes Integer / Signed Integer REG_EXPAND_SZ Takes a variable REG_MULTI_SZ List of values
Registry Viewer navigates by file rather than by hive Registry Viewer Navigation C:\WINDOWS\system32\config HKCR File System HKCU HKLM Registry HKU HKCC Registry Viewer navigates by file rather than by hive
AccessData Navigation C:\Users\<username>\NTUSER.DAT
Viewing Registry Properties RID – Offset 48-49
Accessing Live Registry Files Registry Viewer is unable to load active Reg. Files Windows API’s protects registry files while the system is up and running.
C:\Windows\System32\config\RegBack Accessing Registry Files Live System – Regedit Export Live System – FTK Imager Live System – RegBack Dead Box Image – RegBack Dead Box Image – FTK Imager Dead Box Image – FTK Vista – 10 Days Win7 – 14 Days C:\Windows\System32\config\RegBack
Obtaining Registry Files
Applications Using the Registry During application use the Registry will be updated Some applications do not update until exited Be mindful when seizing a live system
Searching the Registry Registry Viewer has three types of searches Quick Find Advanced Find Search by Last Written Date
Searches in the selected key and its children Quick Find Search Searches in the selected key and its children
Advanced Find Search Select search type
Searching by Date
Registry Reports Reports in html Display key properties
Summary Reports Allows addition of single values Takes wildcards on both keys and values Becomes a template for other Registry files Summary reports are a two step process: Create it with Define Run it with Manage
Summary Reports
Module Review Defining the Windows Registry Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting