Presentation is loading. Please wait.

Presentation is loading. Please wait.

Registry 101 Registry 201 SAM artifacts

Published byNicolas Gomes Farinha Modified over 5 years ago

Similar presentations

Presentation on theme: "Registry 101 Registry 201 SAM artifacts"— Presentation transcript:

1 Registry 101 Registry 201 SAM artifacts
Windows Registry I Registry 101 Registry 201 SAM artifacts

2 Windows Registry What is windows registry? What is registry analysis?
Core component, hierarchical database Configuration information When user had access, last time system had access, when a file been accessed. Hardware, software, users, applications, date and time What is registry analysis? Not just pressing a key and see the result Purpose of the Windows Registry What OS and application to do, where to put things and how to react. Examples: Clear the pages files when shut down Launch the game after shutdown and logout.

3 Registry Editor (regedit)
Access : Regedit, reg.exe, Win key+R

4 Registry function Lets say you start MS Word and open a document in the recent files Windows API searches the registry for the Word CLSID identifier in Software file -> CLSID Windows then accesses Words “recent docs” setting in registry to identify the document Windows then locates the selected file and open it A very simplified view!

5 Investigate Volatile information
Shown up when system is booted up or user logs in. Must be collected when the system is still running. HKEY_CURRENCT_USER hive. Does not exist on acquired image of the system. Contain VALUE named PROGRAM COUNT Number of programs you have running on desktop. HKEY_LOCAL_MACHINE\Hardware Information regarding the devices connected Current ControlSet, Current ControlSet00, Current ControlSet01 HKEY_CLASSES_ROOT When system boots up: HKEY_LOCAL_MACHINE\Software\Classes When user logs in: HKEY_CURRENT_USER\Software\Classes

6

7 Registry import/export
Regedit export (save as type) Reg files (*.reg) Key – value pairs Registry Hive files (*.*no extension) Binary (for analysis) Text file backups (*.txt) Both fTk and fTk imager can export registry files from an image, either Navigate to them and export File > obtain protected files Gets registry files from the running computer There are considerable differences between how System Restore works under Windows XP and Windows Vista. In Windows XP, System Restore can be configured to use up to a maximum of 12% of the volume's space for most disk sizes [5], however this may be less depending on the volume's size. In Windows Vista, System Restore is designed for larger volumes and cannot be enabled on volumes smaller than 1 GB. [7] By default, it uses 15% of the volume's space. [6] Using the command-line tool Vssadmin.exe, the space reserved can be adjusted. Up to Windows XP, files are backed up only from certain directories. On Windows Vista, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder. [8] Up to Windows XP, it excludes any file types used for users' personal data files, such as documents, digital photographs, media files, , etc. It also excludes the monitored set of file types (.DLL, .EXE etc.) from folders such as My Documents. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, they should keep those files under My Documents. [5] When a rollback is performed, the files that were being monitored by System Restore are restored and newly created folders are removed. On Windows Vista however, it excludes only document file types; it does not exclude any file monitored type whatsoever of its location and operates on the entire volume.

8 Registry backup Restore points Regedit restore 4 way:
Registry and certain system files C:\System Volume Information Created every 24h by default Up to 90 days R.P. big difference XP vs. Vista Regedit restore 4 way: Import Double click .reg Right click .reg and merge Right click .reg and open regedit

9 Registry Have permissions based on user privileges (such as NTFS files) Windows Vista uses C:\WINDOWS\system32\config\regback folder instead of C:\WINDOWS\REPAIR for backups

10 FTK RV (Registry Viewer)
Note that the "tree" structure is the same as in Windows Explorer. Also note: Hive Key / Subkey Values Hex Viewer values Properties pane Q: why is it better to use forensic tools for registry investigation?

11 FTK Registry Viewer Registry Viewer search (Edit >…)
Standard search – Quick find Advanced search – Multiple key hit display Date search – Search by last written date Registry Reports (Report > …) Select keys and add Types: HTML Display key properties Standard bookmarks show all values Summary reports allow value selection

12 Location of Windows Registry
DOS: Autoexec.bat (software setting) and Config.sys (hardware setting) Windows 3.x: .ini files Windows 9x: User.dat, system.dat Windows XP: SAM, Security, Software, System Windows Vista: SAM, Security, Software, System and Components User Specific Inforamtion: NTUSER.dat Win 2000, XP, 2003 > documents and setting directory Win 7 Users directory USRCLASS.dat

13 Registry issues No checksum or ability to self repair
No ability to boot if corrupted No ability to edit if not booted No ability to transfer settings (hive files) to another system .reg files are ok System uses GUI interface for standard user access Not the most user friendly or efficient interface …

14 Forensic registry benefits
MRUs (most-recently-used) Typed URLs System users Installed devices System time settings Registered user information Passwords and hashes Internet search queries and form data Date and time information of registry keys updates Network and wireless setting and connection information Some applications store the password in clear text in registry!

15 Hives Hives: Name format: HKEY_HIVE_NAME HKLM and HKU (real hives,
registry root files, contain subkeys Made up of 4-KB sections or “bins” : regf block, hbin blocks “Regf”: first four bytes of a normal hive file. To identify the type of registry file. Every 4096 bytes a “hbin” block. Name format: HKEY_HIVE_NAME Often shortened as HKCU, HKLM etc. H = Handle HKLM and HKU (real hives, Are the real hives which are created from files at startup They create the three other hives as well (alias or linked) regf hbin hbin hbin

16 Hives HKU (HKEY_USER) Contains actively loaded user profiles and settings Stores information from all users who have ever logged on to the computer Default user profile Generates HKCU, HKCC and HKCR HKEY_USER HKEY_CLASSES_ROOT HKEY_CURRENT_ CONFIG HKEY_CURRENT_USER

17 HKCU (HKEY_CURRENTUSER)
Contains the active current logged on user profile data from NTUSER.DAT Preferences, profile areas, mapped drives, MRU… etc. Copied from HKU upon logon Is sub classed in HKU > SID The Software subkey is the most interesting one which contains the majority of the information about the user HKEY_USER HKEY_CLASSES_ROOT HKEY_CURRENT_ CONFIG HKEY_CURRENT_USER

18 HKCU C:\Document and Settings\ <username>\NTUSER.dat
In Vista: C:\Users\ <username>\NTUSER.dat Contains HKEY_CURRENT_USER hive information like: - Open and save files Wrapped URLs and commands Note: Sometimes you can find copies of the registry files in \ windows \ repair folder (vista regback) Alien Registry Viewer

19 Common Areas (Favorites) MRU = Most Recently Used
Unicode HKCU

20 HKLM HARDWARE SAM SECURITY SOFTWARE SYSTEM HKCC HKLM HKCR
Contains configuration information for the system (hardware and software) HARDWARE Created during boot up Tracks attached dynamic hardware settings Volatile - not stored as a file SAM Stores logon information about local users SECURITY Storage of passwords and other security info SOFTWARE Records global application information SYSTEM Archives info about hardware and system configuration HKLM HKCR HKCC

21 HKLM files Remember (HKLM) each user's profile  NTUSER.DAT

22 HKCC Contains data about the hardware profile
Is sub classed in HKLM > SYSTEM > CurrentControlSet > Hardware Profiles > Current Generally of little forensic interest

23 HKCR HKCR per-user settings is mapped to the file system at
Contains file extension associations and Class registrations which enable correct application to start for a certain file Is sub classed in HKLM > Software > Classes and HKCU > Software > Classes Example: open with option in right click on a file HKCR per-user settings is mapped to the file system at C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat subclassed HKCU > Software > Classes HKLM > Software > Classes HKLM > Software Global Setting User setting HKCU > Software

24 View active hives Navigate to

25 Hive Block Structure Registry files are constructed from two types of building blocks Regf blocks Hbin blocks

26 Hive Block Structure The first block of a Registry file only has a regf header. The block is 4096 bytes in length Contains Header Last updated date and time (offset 8) File name and path information (variable size from offset 48) Offset 0-3 regf signature Offset last updated date and time

27 Hive block structure And a variable number of hbin blocks
Remaining registry blocks (also 4096 bytes size each) The first hbin block begins after the regf block. Registry information is stored in hbin blocks. When one hbin block filled system will make a new hbin block. The space wont be removed and data is recoveable even after deleting. Offset 0-3 carry a header Offset date and time in first block

28 Hive block structure Header size of 32 bytes Hive only grow in size
Each hbin points to the previous hbin block (offset 4-7) Each hbin points to the next hbin block (offset 8-11) With an offset, always 0x (= 4kB in little endian when translated) Last updated offset 20-27, only first hbin 0x 0x 0x 0x File adress regf hbin hbin hbin 0x 0x Point to Header 0-3 Offset ptr prev 4-7 Offset ptr next 8-11 BE [00][10][00][00] LE [00][00][10][00]

29 Registry key cell structure
Each hbin blocks stores the actual registry information (keys, subkeys, values and data) There are 7 types of cells in the hbin block nk – key name points to parent key and child keys/values If – subkey list (lh in some versions of XP) vk – key value, contains type and pointer to data sk – security key, contains Windows security descriptor Value list (no header/signature), simple list of pointers to value records Class information (no header/signature) Data (no header/signature), variable length raw value data Key names are likely to be the moste important forensic evidence of this group Note! Key names are reversed here because of endianess

30 Registry key cell structure

31 Registry value cell structure

32 Registry Value types

33 Resources:

Download ppt "Registry 101 Registry 201 SAM artifacts"

Similar presentations

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
The Windows Registry Adapted from

The Windows Registry Adapted from
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
File Management Systems

File Management Systems
Michael Donovan, River Campus Libraries – 12/03 DocuShare Overview and Training.

Michael Donovan, River Campus Libraries – 12/03 DocuShare Overview and Training.
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
COMP1321 Digital Infrastructure Richard Henson February 2012.

COMP1321 Digital Infrastructure Richard Henson February 2012.
ACCESSDATA® FORENSICS Windows 7 Registry Artifacts

ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.

© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.
1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 965202095 謝承璋 2008 年 05 月 07 日.

1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 謝承璋 2008 年 05 月 07 日.

Similar presentations

Ads by Google