ACCESSDATA® FORENSICS Windows 7 Registry Introduction Forensic Analysis Incident Response eDiscovery Information Assurance

Module Objectives Defining the Windows Registry Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting

What is the Registry? Microsoft definition: “…a central hierarchical database used … to store information that is necessary to configure the system for one or more users, applications and hardware devices.”

Forensic Benefits of the Registry MRUs Typed URLs Installed apps Installed devices System time settings Registered user information Passwords and password hashes Internet search queries and form data Network setting and connection information Date and Time information of Registry key updates

Hives – Symbolic Links

Hive Files in the File System C:\Boot  HARDWARE built on boot C:\Windows\System32\config C:\Users\%%%%\ C:\Users\%%%%\AppData\Local\Microsoft\Windows BCD started in Vista. Now Vista / Windows 2008 Server according to MS Tech Net article: Now in Windows 7, located in 100 MB System Reserved Partition

Registry Editor Navigation Value Name Data Type Value data Hive Key Sub Key Value

Values Values are associated with subkeys in name-data pairs Stored independently from their subkeys Name Data

Value Types REG_SZ String Value Human readable REG_BINARY Binary Value Machine readable REG_DWORD Number 4 bytes Integer / Signed Integer REG_EXPAND_SZ Takes a variable REG_MULTI_SZ List of values

Registry Viewer navigates by file rather than by hive Registry Viewer Navigation C:\WINDOWS\system32\config HKCR File System HKCU HKLM Registry HKU HKCC Registry Viewer navigates by file rather than by hive

AccessData Navigation C:\Users\<username>\NTUSER.DAT

Viewing Registry Properties RID – Offset 48-49

Accessing Live Registry Files Registry Viewer is unable to load active Reg. Files Windows API’s protects registry files while the system is up and running.

C:\Windows\System32\config\RegBack Accessing Registry Files Live System – Regedit Export Live System – FTK Imager Live System – RegBack Dead Box Image – RegBack Dead Box Image – FTK Imager Dead Box Image – FTK Vista – 10 Days Win7 – 14 Days C:\Windows\System32\config\RegBack

Obtaining Registry Files

Applications Using the Registry During application use the Registry will be updated Some applications do not update until exited Be mindful when seizing a live system

Searching the Registry Registry Viewer has three types of searches Quick Find Advanced Find Search by Last Written Date

Searches in the selected key and its children Quick Find Search Searches in the selected key and its children

Advanced Find Search Select search type

Searching by Date

Registry Reports Reports in html Display key properties

Summary Reports Allows addition of single values Takes wildcards on both keys and values Becomes a template for other Registry files Summary reports are a two step process: Create it with Define Run it with Manage

Summary Reports

Module Review Defining the Windows Registry Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting