Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
ii
ABSTRACT
Windows registry is a core of the operating system which determines the appearance and
behavior of windows. It is a central repository or a hierarchical database of configuration data for
the Windows operating system. It has configuration data for all the installed software
applications, device drivers, and policies pertaining to the system and the users. It controls the
peripherals devices and how applications run. Every time an application runs in the Windows
environment, the first thing it checks is the registry. Without accessing the registry no application
can be started. In other words windows eventually fail if the registry fails. The analysis of
Windows Registry involves not just viewing data within the registry but it is about extracting,
interpreting, and understanding what that data means in its own context and in the context of a
forensics investigation.
The project gives an overview of what a forensics investigator, a Windows system
administrator, or a network administrator should look for while performing an analysis of the
Windows Registry within the windows and several utilities and forensic software tools that can
be used to view and examine the registry. The project discusses various registry forensics tools
available for Windows operating systems and theirs features. This project mainly focuses on
implementing WIRECHADE which used to detect changes made in the registry, the Design and
implementation of the tool and the corresponding test cases generated to test its features.
iii
TABLE OF CONTENTS
Abstract…………………………………………………………………………………………. ii
Table of contents………………………………………………………………………………... iii
List of Figures…………………………………………………………………………………….v
List of Tables…………………………………………………………………………………... vii
1. Background and Rationale .......................................................................................................... 1
1.1 Registry .................................................................................................................................. 1
1.1.1 Hive ................................................................................................................................ 2
1.1.2 Key.................................................................................................................................. 2
1.1.3 Branch ............................................................................................................................. 2
1.2 Registry Editor ...................................................................................................................... 8
1.3 Windows 9x Registry ............................................................................................................ 9
1.3.1 Windows 95 Registry ................................................................................................... 10
1.3.2 Windows 98 Registry ................................................................................................... 14
1.4 Windows NT Registry ........................................................................................................ 19
1.5 Windows 2000 Registry ...................................................................................................... 21
1.6 Windows XP Registry ......................................................................................................... 23
1.7 Windows Vista Registry...................................................................................................... 25
1.8 Windows 7 Registry ............................................................................................................ 27
2. Narrative ................................................................................................................................... 32
2.1 Last Write Time of a File .................................................................................................... 32
2.2 AutoRun locations ............................................................................................................... 33
2.3 Files & Folders opened via Common Dialog boxes ........................................................... 35
2.4 Recent Documents ............................................................................................................... 36
2.5 User Assist Key ................................................................................................................... 37
2.6 Last key edited by regedit ................................................................................................... 39
2.7 Last logged on user ............................................................................................................. 40
2.8 List of Installed USB devices, both connected and unconnected ...................................... 41
2.9 List of installed USB storage devices ................................................................................. 42
2.10 Mounted Devices ............................................................................................................... 43
iv
2.11 Wireless Networks ............................................................................................................ 44
2.12 Internet Explorer ............................................................................................................... 47
2.13 Available Registry Forensics Tools .................................................................................. 50
2.13.1 RegRipper ................................................................................................................... 50
2.13.2 RegLookUp ................................................................................................................ 51
2.13.3 Registry Registrar Manager ........................................................................................ 52
2.13.4 FTK Registry Viewer ............................................................................................... 53
3. Proposed System Design........................................................................................................... 57
3.1 WIRECHADE ..................................................................................................................... 57
3.2 Namespace .......................................................................................................................... 58
3.2.1 Registry Class ............................................................................................................... 58
3.2.2 RegistryKeyClass ......................................................................................................... 59
3.2 Classes of the Application .................................................................................................. 59
3.2 Data Tables ......................................................................................................................... 61
3.3 User Interfaces .................................................................................................................... 61
4. Testing and Evaluation ............................................................................................................. 66
4.1 Test Case 1: Extracting the Registry ................................................................................... 66
4.2 Test Case 2: Selecting the keys ........................................................................................... 67
4.3 Test Case 3: Changing a Registry Value ............................................................................. 68
4.4 Test Case 4: Deleting a value .............................................................................................. 71
4.5 Test Case 5: Inserting a Value ............................................................................................. 73
5. Conclusion ............................................................................................................................. 76
5. Bibiliography ......................................................................................................................... 77
5. APPENDIX A........................................................................................................................ 80
v
LIST OF FIGURES
Figure 1.1 The Registry Editor ....................................................................................................... 8
Figure 1.2 Components of Windows 95 Registry ......................................................................... 11
Figure 1.3 Structure of a Windows 95 registry ............................................................................. 13
Figure 1.4 Components of Windows 98 Registry ......................................................................... 16
Figure 1.5 Windows 98 Registry Structure................................................................................... 18
Figure 1.6 Windows NT registry components .............................................................................. 19
Figure 1.7 Windows NT registry st`ructure .................................................................................. 21
Figure 1.8 Windows 2000 Regedit ............................................................................................... 22
Figure 1.9 Windows 2000 Regedt32 ............................................................................................ 23
Figure 1.10 Windows XP Registry Structure ............................................................................... 24
Figure 1.11 Windows 7 Registry .................................................................................................. 27
Figure 1.12 Subkey of a registered file type ................................................................................. 28
Figure 2.1 Last Write Time ........................................................................................................... 33
Figure 2.2(a) System start up programs ........................................................................................ 34
Figure 2.2(b) Current user start up programs ................................................................................ 34
Figure 2.3(a) ComDlg32 recently opened/saved files .................................................................. 35
Figure 2.3 (b) ComDlg32 recently opened/saved folders ............................................................. 36
Figure 2.4 Recent Documents ....................................................................................................... 37
Figure 2.5(a) User Assist keys ...................................................................................................... 38
Figure 2.5(b) ROT-13 Decoder..................................................................................................... 39
Figure 2.6 Last Edited Key ........................................................................................................... 40
Figure2.7 Last Logged on user ..................................................................................................... 41
Figure2.8 USB Devices ................................................................................................................ 42
Figure2.9 USB Storage Devices ................................................................................................... 43
Figure2.10 Mounted Devices ........................................................................................................ 44
Figure 2.11(a) The network List ................................................................................................... 45
Figure 2.11(b) The network Profiles ............................................................................................. 46
vi
Figure 2.11(c) The network Settings ............................................................................................ 47
Figure 2.12(a) Internet Explorer key ............................................................................................ 48
Figure2.12(b) Internet Explorer Typed URLs .............................................................................. 49
Figure2.12(c) Internet Explorer Settings ...................................................................................... 51
Figure 2.14 RegLookUp ............................................................................................................... 52
Figure 2.15 Registry Registrar Manager ....................................................................................... 53
Figure 2.16 Search Window ......................................................................................................... 54
Figure 2.17 Advanced Search Window ........................................................................................ 55
Figure 2.18 Summary report of registry viewer ............................................................................ 56
Figure 3.1 Classes of the application ............................................................................................ 60
Figure 3.2 Data Tables .................................................................................................................. 61
Figure 3.3 The Icon menu ............................................................................................................. 62
Figure 3.4 Configuration Window ................................................................................................ 63
Figure 3.5 Job Schedule Window ................................................................................................. 64
Figure 3.6 Log Window ................................................................................................................ 65
Figure 4.1 Registry of the Local Machine .................................................................................... 66
Figure 4.2 Registry Extraction ...................................................................................................... 67
Figure 4.3 Selecting the keys ........................................................................................................ 68
Figure 4.4 Current value ............................................................................................................... 69
Figure 4.5 Changed Value ............................................................................................................ 70
Figure 4.6 Display change ............................................................................................................ 71
Figure 4.7 Current Value .............................................................................................................. 72
Figure 4.8 Display delete .............................................................................................................. 72
Figure 4.9(a) Null value ................................................................................................................ 73
Figure 4.9(b) Inserting a value ...................................................................................................... 74
Figure 4.10 Display Insert ............................................................................................................. 75
vii
LIST OF TABLES
Table 1.1 Registry Supporting Files ............................................................................................... 4
Table 1.2 Registry Data Types........................................................................................................ 4
Table 1.3 Windows Vista Registry Hives ..................................................................................... 25
Table 1.4 Extensions Used by Hive Supporting Files .................................................................. 30
Table 1.5 Supporting files of the hives ......................................................................................... 31
1
1. BACKGROUND AND RATIONALE
In the early days systems were developed by taking into consideration a small number of
applications to be installed and their corresponding system settings. After the release of
Windows 3.1, things have changed at a fast pace. In 1992, the maximum size of a hard drive was
80MB while in 1994 the size has increased to 400MB with the release of Windows 95 [Drew
2008]. Windows 3.1 was used for commercial use in organizations with either one or two
applications in each computer while Windows 95 was used with a couple of more applications.
The disordered state of the applications settings in windows 3.1 led to the beginning of .ini files
[Drew 2008]. The .ini files store the settings of each individual application during the
installation process. They are explicitly deployed to the user and the storage process is
unconstrained. This accounts for optimization problems and cannot be located on the hard drive.
Windows registry was first introduced in Windows 95 but was not conventionally structured.
Due to the fact that windows did not support multiple users the registry structure barely consisted
of four files. Windows NT was developed with mechanisms of network, supporting multiple
users. This mechanism was extended in windows 98 and windows Me with minor changes.
Registry cleaners were introduced in windows 2000 and in higher versions. The registry grew
abundantly with the development of Windows NT although some of the issues remained
unresolved.
1.1 Registry
The term registry is defined as a central hierarchical database used to store information
that is necessary to configure the system for one or more users, applications and hardware
2
devices [Farmer 2007]. It contains information that Windows continually references for any kind
of tasks such as the applications installed on the computer, the documents recently accessed,
property sheet settings for folders and application icons, the type of hardware and the connected
ports.
1.1.1 Hive
A hive is a collection of keys, subkeys and values in the registry [Joan 2010]. The hives
contain registry information pertaining to the system and user application settings such as
desktop environment, network connections, and printers. Hives are generally named by their
Windows API definitions which all begin with "HKEY".
1.1.2 Key
A key has a default value that may or may not contain data. The default value in each
key is called “Default” [Joan 2010]. A key contains additional folders called subkeys with one or
more values. This concept is similar to folders and subfolders in Windows Explorer.
1.1.3 Branch
A branch resides at the top of the Registry and it describes a key and all of its contents
[Joan 2010]. A branch is a section and the content appears within it. It is an ordered pair with a
name and a value. Value entries are analogous to files in Windows Explorer.The following are
the hives located in the registry [Herong 2008]
3
• HKEY_CLASSES_ROOT (HKCR) key stores information about all the applications that
are registered on the system which include the file extensions and their association to the
application established using Object Classes
• HKEY_CURRENT_USER (HKCU) key stores settings associated to the current user. The
HKCU key points to the subkey of HKEY_USERS that corresponds to the user.
• HKEY_LOCAL_MACHINE (HKLM) stores settings specific to the machine and is
common to all the users. Its subkeys are hardware, sam, security, software and system.
• HKEY_USERS (HKU) contains information of the registered users and its subkeys point to
the HCU key.
• HKEY_CURRENT_CONFIG (HKCC) stores information obtained during the runtime.
This information is stored temporarily as it is generated every time the system starts..
• HKEY_PERFORMANCE_DATA (HKPD) key is an invisible key that provides the
performance information of the data during the runtime. The information is obtained from
the applications of the kernel itself [Herong 2008].
Each registry hive has supporting files within which data is backed up. Table 1.1 shows
the supporting files of the registry hives. The type of data residing in the supporting file is
determined by their extensions.
4
Table 1.1 Registry Supporting Files [MS 2008]
Registry hive Supporting files
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav, Ntuser.dat,
Ntuser.dat.log
HKEY_USERS\DEFAULT Default, Default.log, Default.sav
The data types of the keys and subkeys are illustrated in Table 1.2. Windows operating
systems make use of these data types. The maximum value of the data types range from 255
characters in Windows 9x to 16,000 characters in the newer versions of windows [MS 2008].
The files contain long values. For an efficient performance the size of a registry value is limited
to 64k [MS 2008].
Table 1.2 Registry Data Types [MS 2008]
Name Data type Description
Binary REG_BINARY Raw binary data. Most hardware
5
Value component information is stored as
binary data and is displayed in
Registry Editor in hexadecimal
format.
DWORD
Value REG_DWORD
Data represented by a number that is
4 bytes long (a 32-bit integer). Many
parameters for device drivers and
services are this type and are
displayed in Registry Editor in
binary, hexadecimal, or decimal
format. Related values are
DWORD_LITTLE_ENDIAN (least
significant byte is at the lowest
address) and
REG_DWORD_BIG_ENDIAN
(least significant byte is at the
highest address).
Expandable
String
Value
REG_EXPAND_SZ
A variable-length data string. This
data type includes variables that are
resolved when a program or service
uses the data.
Multi- REG_MULTI_SZ A multiple string. Values that contain
6
String
Value
lists or multiple values in a form that
people can read are generally this
type. Entries are separated by spaces,
commas, or other marks.
String
Value REG_SZ A fixed-length text string.
Binary
Value REG_RESOURCE_LIST
A series of nested arrays that is
designed to store a resource list that
is used by a hardware device driver
or one of the physical devices it
controls. This data is detected and
written in the \ResourceMap tree by
the system and is displayed in
Registry Editor in hexadecimal
format as a Binary Value.
Binary
Value REG_RESOURCE_REQUIREMENTS_LIST
A series of nested arrays that is
designed to store a device driver's list
of possible hardware resources the
driver or one of the physical devices
it controls can use. The system writes
a subset of this list in the
\ResourceMap tree. This data is
7
detected by the system and is
displayed in Registry Editor in
hexadecimal format as a Binary
Value.
Binary
Value REG_FULL_RESOURCE_DESCRIPTOR
A series of nested arrays that is
designed to store a resource list that
is used by a physical hardware
device. This data is detected and
written in the \HardwareDescription
tree by the system and is displayed in
Registry Editor in hexadecimal
format as a Binary Value.
None REG_NONE
Data without any particular type.
This data is written to the registry by
the system or applications and is
displayed in Registry Editor in
hexadecimal format as a Binary
Value
Link REG_LINK A Unicode string naming a symbolic
link.
QWORD
Value REG_QWORD
Data represented by a number that is
a 64-bit integer. This data is
8
displayed in Registry Editor as a
Binary Value and was introduced in
Windows 2000.
1.2 Registry Editor
Registry Editor is a tool in the Windows operating systems to view and modify
the registry. It displays the registry in a tree structure. The tool can be opened via run by typing
”regedit. It provides advanced search options for keys, subkeys, and values. The registry can
also be stored in a physical location by exporting it. Figure 1.1 illustrates the structure of a
Registry Editor.
Figure 1.1 The Registry Editor [Edward 2010]
To perform an analysis of the registry, an in-depth knowledge of the structure of a registry and
its working should be known to an investigator.
1.3 Windows 9x Registry
9
Windows 9x includes Windows 95, windows 98 and windows ME (Windows Millennium
Edition) Microsoft Windows operation systems based on the Windows 95 kernel contain 5 files
within which the registry is stored. These files are located in the windows directory
“C:\Windows” [EDS 2010]. SYSTEM.DAT and USER.DAT are the two main files in the
Windows 95 and Windows 98 while Windows ME has three main files SYSTEM.DAT,
USER.DAT and CLASES.DAT. The two backup files are SYSTEM.DA0 and USER.DAT0
[EDS 2010].
• SYSTEM.DAT
This is the main registry system file. It is a hidden file stored in the windows directory. It
stores information about the Software, Hardware, Security, Windows settings and Performance
of the windows [EDS 2010]. The two hives HKEY_CLASSES_ROOT and
HKEY_LOCAL_MACHINE store this information.
• USER.DAT
The user specific information is stored in USER.DAT. The hive HKEY_CURRENT_USER
provides hardware and software settings of a particular user such as logon names, desktop
settings, and Start menu settings [EDS 2010]. If a system has multiple users accessing it, each
user has his own USER.DAT file which the operating system loads as he logs in. This file is
also located in the windows directory.
• CLASES.DAT
As the size of the registry grew, SYSTEM.DAT alone was not sufficient. Due to the
limitations of SYSTEM.DAT, Windows ME divided registry system file into two files,
10
SYSTEM.DAT and CLASSES.DAT [EDS 2010]. Windows ME is the only version which uses
CLASSES.DAT with the information of the registry system file stored in the
HKEY_CLASSES_ROOT.
• SYSTEM.DA0
Windows automatically creates a backup file SYSTEM.DA0 of the SYSTEM.DAT.
Whenever a System reboots in the unsafe mode, this file is created in the windows directory. It
stores the software and hardware specific information from the last successful startup.
• USER.DA0
Windows also creates back up of the user specific settings known as USER.DA0. This is
also a hidden file in the windows directory which backs up or recovers the settings when the
system is turned on.
1.3.1 Windows 95 Registry
The Registry in Windows 95 stores settings of the system in a hierarchically in a unified
database as it combines settings of memory configuration, hardware devices and network
devices. The Structure of the registry is similar to the .ini files developed in windows 3.x but the
difference is the keys in the registry have sub keys. The values of the .ini files consist of strings
while the values of a registry consist of binary data as well. Despite the limitations, Windows 95
still supports ini files as there exists some applications in windows that are only compatible with
ini files. There are also other files like AUTOEXEC.BAT and CONFIG.SYS supported by
Windows 95 for the components that are compatible with them [Joan 2010].
Benefits of the Registry
11
The registry provides recovery of the configuration settings when the system fails as it
contains data used to configure the applications, system’s hardware and device drivers. It
provides manual configuration through the control panel tools. This option minimizes the errors
which occur in the configuration settings. Remote examination of the system is also possible
with the functions supported by the register. The registry maintains user specific settings such as
desktop and network access settings when the system has multiple users. This information is also
stored in the central database of the network which allows users to access their profiles in any
computer connected to the network. In business organizations, registry can be used to
incorporate company system policies on the employee’s computers.
Components of Registry:
As the system starts, the configuration settings will be checked by the operating systems
as shown in figure 1.2.
Figure 1.2 Components of Windows 95 Registry [Joan 2010]
The following are the components and applications of Windows 95 which use the registry
• Hardware Configuration data
12
While setting up Windows 95 on the system, the hardware devices connected to the system
are detected and the configuration data is added to the registry. This is done by the configuration
manager as the hardware setup starts.
• Windows version data
While setting up Windows 95 on a system that already has another version of Windows,
the system settings stored in the INI files are sent to the registry. Changes made in the settings
after the installation are subjected to the changes in the registry.
• Plug and Play
The configuration data of the devices based on plug and play is added to the registry
whenever a device is added or removed from the system.
• Device Drivers
Whenever a device is added or removed the registry is updated with the configuration
data and the load parameters of the device drivers.
• Administrative tools
The control panel of the operating systems allows users or administrators to maintain the
configuration data. The information can also be changed in the registry editor but it is mostly
used to view the configuration data.
Structure of the registry:
13
The Windows 95 registry structure is a database which provides system specific settings
such as hardware and software settings and the user specific settings such as user’s desktop,
software and hardware preferences.
Figure 1.3 Structure of a Windows 95 registry [Joan 2010]
Figure 1.3 shows the Contents of the registry are stored in six keys. The information related
to the system such as hardware and software installed is provided by the Hkey_Local_Machine.
This information is the configuration data of the system constituted by the operating systems,
application and device drivers. Plug and Play updated the hardware information in the registry
while Standard APIs can show the software installed.
The Hkey_Dyn_Data key links to the subkey of Hkey_Local_Machine which provides
the status of the Plug and Play based devices including the hardware key. This key keeps
updating as the devices keep adding or deleting.
14
Registry Value
Each key has value entries. The value entry is divided into three parts. The name, its
value and the data type. The maximum size of a value is 64kb [Joan 2010].The available size of
the registry depends on the size of the hard disk. The two data types of a value entry are the
binary data and the text data which includes sequence of characters.
1.3.2 Windows 98 Registry
The registry in windows 98 is faster than the registry in Windows 95. It has become
more robust by fixing the problems within the registry which provide the management features
of the system and network. The memory configuration, hardware devices and network
components configuration can be made with the information available on the registry.
The registry also maintains a track of all the plug and play compatible devices, non-plug
and play devices and Advanced Configuration & Power Interface (ACPI) based devices and their
resources such as memory allocation, memory accesses, I/O addresses and Interrupt
requests[Joan 2010]. Device manager in windows 98 allows a user to view the configured
devices, their properties and their resources of the system. It also solves the resource conflict
issues. The per-configuration method is used by the registry to store information of the windows
settings. The INI files, Autoexec.bat and Config.sys files are used to support some of the
applications[Joan 2010].
15
Benefits of the registry
The overall performance of the system is increased in windows 98 as the registry does
not use more real and protected mode memory. The time taken to search for a registry value is
also reduced by the improvised caching method. The registry checker is automatically run by the
operating systems for identifying and solving the registry problems as soon as windows start up.
It restores the registry when a problem occurs from one of the five backups it saves everyday as
the computer starts up.
The size of the registry file is minimized by removing the unused space resulting in an
increased overall system performance. The registry on remote computers can be examined with
the set of functions that are independent of the network. The size of a registry key is not limited
to the size 64kb as it did in Windows 95. The registry maintains user specific settings such as
desktop and network access settings when the system has multiple users. This information is also
stored in the central database of the network which allows users to access their profiles in any
computer connected to the network.
Registry files
The registry is stored in three files so the flexibility of the network configuration is maximum.
• User.dat
The information specific to the user such as a user profile, user privileges and user desktop
settings is stored in the user.dat file. It is a hidden file stored in the windows directory. The file is
also stored on the central network server which allows users to have their own settings when they
log on to any computer in the network. This allows multiple users to share the same computer.
The file is copied from a network server to a local computer when the user logs on.
16
• System.dat
This is also a hidden file in the windows directory which is used to store computer hardware
settings, application settings and plug and play compatible devices.
• Policy.pol
This component is not a mandatory file but it contains the system policies. It disables the
settings in the user and system files. A policy.pol file globally created in the network allows the
network administrators to manage all the user’s privileges in the network such as common
desktop settings. Similarly, each user in the network
Components of a Registry
The Windows 98 operating system checks the registry for configuration information and
also stores it as the windows start up. The Components that access and store the configuration
information in the registry during the startup are similar to the components of Windows 95 as
shown in Figure 1.4.
Figure 1.4 Components of Windows 98 Registry [Joan 2010]
17
• Hardware Configuration data
While setting up Windows 95 on the system, the hardware devices connected to the system
are detected and the configuration data is added to the registry. This is done by the configuration
manager as the hardware setup starts.
• Windows version data
While setting up Windows 95 on a system that already has another version of Windows,
the system settings stored in the .ini files are sent to the registry. Changes made in the settings
after the installation are subjected to the changes in the registry.
• Plug and Play
The configuration data of the devices based on plug and play is added to the registry
whenever a device is added or removed from the system.
• Device Drivers
Whenever a device is added or removed the registry is updated with the configuration
data and the load parameters of the device drivers.
• Administrative tools
The control panel of the operating systems allows users or administrators to maintain the
configuration data. The information can also be changed in the registry editor but it is used
mostly to view the configuration data.
18
Registry Structure
The structure of a registry contains three main blocks the keys, their values and their data.
Each key contains sub keys which have names that include characters, symbols and letters.
Figure 1.5 shows Windows 98 registry structure.
Figure 1.5 Windows 98 Registry Structure [Joan 2010]
The HKEY_CURRENT_CONFIG key provides the configuration information about the
current hardware device used out of the several hardware devices attached. Plug and play places
this information on the registry. If the computer is connected to the network, it provides
information the configurations that need to be used. This information can be viewed by the users
in the system options of the control panel. Each configuration is identified with a unique
configuration ID. The ID has subkeys which are used by the system as the windows startup. New
configuration IDs are added as new hardware devices are added to the system [Joan 2010].
19
1.4 Windows NT Registry
The registry in Windows NT is considered a central database which stores the
configuration information. The configuration files of MS-DOS and LAN Manager are .ini, .com
& .sys [Joan 2010]. These files are replaced by the registry.
Registry Components
Figure 1.6 shows the components that use Windows NT Registry.
Figure 1.6 Windows NT registry components [Joan 2010]
• Setup
The configuration data in the registry is added by the setup programs. Setup not only adds
information to the registry but it also monitors the information to make sure all the components
have been installed without any error.
• Recognizer
20
Windows NT contains a Hardware Recognizer which adds the hardware configuration
information such as the list of hardware devices to the registry as the windows start up. The
Hardware Recognizer along with the Windows NT Kernel programs is used to detect the
hardware devices on the computer that is based on 32-bit.
• Windows NT Kernel
The information related to the device drivers that are to be loaded and the order in which
they are loaded is extracted by the Windows NT Kernel as windows start up. This information
can also be added to the registry by the Ntoskrnl.exe program.
• Device drivers.
The registry sends and receives information of the load parameters from the device drivers.
This information is added to the registry as the device driver reports system resources that it
uses. This allows users to install and configure programs easily by accessing the information
from the registry.
• Administrative tools
The configuration data can be modified using the options and administrative tools in
Windows NT by the users.
21
Registry Structure
The registry subkeys are specific to a computer and a database. The configuration settings
are distinctly stored for each computer. The settings include user profiles, software and hardware
installed settings in the user environment .Figure 1.7 illustrates the structure of the registry
Figure 1.7 Windows NT registry structure [Joan 2010]
1.5 Windows 2000 Registry
The Windows 2000 registry is the centralized database for the applications and services
of the operating systems. The Control Panel applets, Global Policy, Microsoft Management
22
Console and the command-line tools provide user-friendly interface to indirectly modify and
prevent registry misconfiguration issues Windows Script Host is also an interface for modifying
the registry but it has limited functionality. It is confined only to the local machine while the
Registry provider provides support on a remote machine. Registry provider supports most of the
capabilities of working with the registry[Joan 2010].
Registry Structure
Regedit.exe and Regedt32.exe are the two registry editors provided in Windows 2000
registry for working with the registry [Joan 2010]. The two editors provide different information
and functionalities on the system. The searching functionality is provided by Regedit.exe while
the privileges/permissions to access the registry are provided by Regedt32.exe.Figure 1.8 shows
the structure of Regedit.exe and Figure 1.9 shows Regedt32.exe.
Figure 1.8 Windows 2000 Regedit [Daniel 2009]
23
Figure 1.9 Windows 2000 Regedt32 [Daniel 2009]
Although the default entry for the keys and subkeys is automatically added, it can be
modified by the Registry Provider. These sources of the registry files are located in the folder
systemroot\System32\config [Joan 2010]. The performance related registry values are hidden
from the user as configuring these files result in degradation of the overall performance of the
computer. Windows 2000 also provides displaying the registry structure using scripts that are
executed under CSscript [Joan 2010] of Windows 2000 systems. These scripts make use of
Registry Provider which allows access by assigning the hexadecimal values of the registry
entries to constants and the data types to integers.
1.6 Windows XP Registry
The Windows XP registry has a complex registry structure that frames the configuration
data of the system. The Complex structure is due to the repetitions and obscurities of the registry
24
entries. The registry also had several hidden capabilities. From Windows XP the only registry
editor that exists is the Regedit which allows the viewing and editing of the Windows registry.
Figure 1.10 Windows XP Registry Structure [Mike 2004]
The five main branches of Windows XP registry are shown in Figure 1.10. Data stored in
divided into these five branches within keys and subkeys. The HKEY_CLASSES_ROOT key
provides information required for the internal functions of the system. OLE (Object Linking and
Embedding, the ability to copy and paste between different programs and documents) and drag-
and-drop [Mike 2004]. The users in the HKCU are identified by the SID, abbreviated as Security
Identifier number which is a unique value each user is assigned to at the time of creation. There
are five data types for the registry values .REG_DWORD uses 4 bytes of hexadecimal value to
represent the data. DWORD is called a switch value as it has either ‘1’ or ‘0’
REG_SZ is a string which can be a word, number or location of a file. Multiple string
values are represented by REG_MULTI_SZ and variable string values by REG_EXPAND_SZ.
The binary value represented by REG_BINARY cannot be modified as it contains hardware
information.
25
1.7 Windows Vista Registry
Windows Vista Registry is a collection of all the configurable settings replacing for all those
ancient .ini files and a database for Group Policy settings [Guy 2010]. The only available tool
used to view and modify the registry is regedit. The run command also accepts the name
regedt32 but eventually directs to the regedit. The search capability of the registry editor does
not support wild card searching.The Layout of the registry structure is same as that of Windows
2000/XP registry structure. Table 1.3 illustrates the registry hives.
Table 1.3 Windows Vista Registry Hives [Guy 2010]
Registry Folder or Hive What it contains
HKEY_LOCAL_MACHINE Holds configuration settings for the computer (no matter
which user logs on).
Can be abbreviated to 'HKLM'.
HKEY_USERS Contains all the actively loaded user profiles on the
computer. More often than not, you would configure the
subfolder under HKEY_CURRENT_USER which
corresponded to a particular user.
26
Subsets of Main Hives
HKEY_CLASSES_ROOT HKCR is an alias of
HKEY_LOCAL_MACHINE\Software. These settings
ensure that the correct program opens when the Windows
Explorer is launched
This information is stored under both the
HKEY_LOCAL_MACHINE and
HKEY_CURRENT_USER keys. The
HKEY_LOCAL_MACHINE\Software\Classes key
contains default settings that can apply to all users on
the local computer. The
HKEY_CURRENT_USER\Software\Classes key
contains settings that override the default settings and
apply only to the interactive user.
HKEY_CURRENT_CONFIG Contains settings which control the hardware profile that is
used by the computer at startup.
HKEY_CURRENT_USER Contains the settings for the user who is currently logged
on. HKCU for short
27
1.8 Windows 7 Registry
Windows 7 Registry resides on the tool Registry Editor to view and modify the Registry
settings. The user credentials need to be entered in the User Account Control dialog box to
access the registry editor. Figure 1.11 shows the Registry Editor window
Figure 1.11 Windows 7 Registry [Paul 2009]
The following are the columns in the right pane of the registry editor
• Name
The name column contains the name of the settings in key that is currently selected
• Data
This column displays the value of each setting
28
• Type
The registry has six data types. REG_SZ , REG_MULTI_SZ, REG_EXPAND_SZ,
REG_DWORD, REG_QWORD and REG_BINARY .
The following is the description of the hives of Windows 7 Registry
• HKEY_CLASSES_ROOT
This key provides information of the file extensions. The programs that generate these file
extensions and the objects of windows 7[Paul 2009]. The key also stores the installed
applications, their interface capabilities and their shortcuts.The first few subkeys are for the file
extension such as .doc for word document files and .png for image files. The default value gives
the registered file name and its extension such as Paint.Picture is the default value of .bmp
extension. The later part of the HKCR key contains registered file types, their settings and
actions performed on them. The key is a replication of
HKEY_LOCAL_MACHINE\Software\Classes key[Paul 2009]. Figure 1.12 shows an example of
the subkey for a file type.
Figure 1.12 Subkey of a registered file type [Paul 2009]
29
The Registry replicates this key for ease of access and better compatibility of programs.
• HKEY_CURRENT_USER
This key contains data specific to the user who is currently logged in such as Control Panel
features, applications, printer & network connections and so on. The group policies and settings
established for a user account are stored in the sid subkey [Paul 2009].The following are the
subkeys of HKEY_CURRENT_USER.
o AppEvents consists of audio files which automatically play if a system events
occurs
o Control Panel consists of settings pertaining to the icons in the control panel
o Keyboard Layout consists of the keyboard layout of the system
o Network consists of settings specific to the network drives mapped to the
system
o Software consists of settings pertaining to the user such as installed applications
and windows
• HKEY_LOCAL_MACHINE
It contains settings that are not related to user configuration but the settings related to
software applications and system hardware. The three important subkeys in this key are
• Hardware which has subkeys specific to serial ports, floating-point processor and
modems.
• Software which has settings of the installed applications.
• System which has settings related to windows startup programs.
30
• HKEY_USERS
It contains settings that are stored within the HKEY_CURRENT_USER. It stores user
settings along with their defined group policies and the default settings of new user profiles.
• HKEY_CURRENT_CONFIG
It contains settings of the current hardware used, if the computer has a single hardware
profile. The key maps to the subkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
while for multiple hardware profiles, it maps to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn [Paul 2009]. Table 1.4 illustrates the
extensions the supporting files of Windows 7 use.
Table 1.4 Extensions Used by Hive Supporting Files [Paul 2009]
None A complete copy of the hive data.
.log1 A log of the changes made to the hive data.
.log, .log2 These files are created during the NARRATIVE
Table 1.5 shows supporting files of the hives. The ntuser.dat file contains the hive data and the
ntuser.dat.log1 file tracks the hive changes [Paul 2009].
31
Table 1.5 supporting files of the hives [Paul 2009]
HKLM\BCD00000000 %SystemRoot%\System32\config\BCD-Template %SystemRoot%\System32\config\BCD-Template.LOG HKLM\COMPONENTS
%SystemRoot%\System32\config\COMPONENTS %SystemRoot%\System32\config\COMPONENTS.LOG %SystemRoot%\System32\config\COMPONENTS.LOG1 %SystemRoot%\System32\config\COMPONENTS.LOG2
HKLM\SAM %SystemRoot%\System32\config\SAM %SystemRoot%\System32\config\SAM.LOG %SystemRoot%\System32\config\SAM.LOG1 %SystemRoot%\System32\config\SAM.LOG2
HKLM\SECURITY %SystemRoot%\System32\config\SECURITY %SystemRoot%\System32\config\SECURITY.LOG %SystemRoot%\System32\config\SECURITY.LOG1 %SystemRoot%\System32\config\SECURITY.LOG2
HKLM\SOFTWARE %SystemRoot%\System32\config\SOFTWARE %SystemRoot%\System32\config\SOFTWARE.LOG %SystemRoot%\System32\config\SOFTWARE.LOG1 %SystemRoot%\System32\config\SOFTWARE.LOG2
HKLM\SYSTEM %SystemRoot%\System32\config\SYSTEM %SystemRoot%\System32\config\SYSTEM.LOG %SystemRoot%\System32\config\SYSTEM.LOG1 %SystemRoot%\System32\config\SYSTEM.LOG2
HKU\.DEFAULT %SystemRoot%\System32\config\DEFAULT %SystemRoot%\System32\config\DEFAULT.LOG %SystemRoot%\System32\config\DEFAULT.LOG1 %SystemRoot%\System32\config\DEFAULT.LOG
32
2. NARRATIVE
An investigator needs to have a good understanding of the registry keys as they provide
significant and valuable information to perform a Registry examination. The keys related to
system configuration, storage devices attached to the computer, resources and device drivers
loaded when the system starts, user profiles, installed software and shortcuts provide important
information. An investigator must be able to read hexadecimal values and convert them to
readable text. Following are the registry keys in Windows 7 that are important to an investigator.
2.1 Last Write Time of a File
All Registry keys contain a value associated with them which gives the last modification
time of a file known as the Last Write Time. The LastWrite time is updated whenever a key has
been created, modified, accessed, or deleted. Figure 2.1 shows the last Write time of the keys
[Adrian 2009].
33
Figure 2.1 Last Write Time [Adrian 2009]
2.2 AutoRun locations
The Autorun locations usually contain programs or components paths that are
automatically run during system startup and programs such as malware usually leave traces when
system reboots.The locations are HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run
and HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Adrian 2009]. Figure 2.2(a)
shows the start up programs of the local machine and Figure 2.2(b) shows the start up programs
specific to the current user.
34
Figure 2.2(a) System start up programs [Adrian 2009]
Figure 2.2(b) Current user start up programs [Adrian 2009]
35
2.3 Files & Folders opened via Common Dialog boxes
List of recently opened or saved files via typical Windows Explorer common dialog
boxes such as the Open dialog box and Save dialog box are found in the Location
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Op
enSavePidlMRU which has sub keys by file extension as shown in Figure 2.3(a) [Adrian 2009]
.These files are opened/saved when the common file save/open dialog comes up. The Location
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\La
stVisitedPidlMRU provides the recent folders used to open or save files as shown in Figure
2.3(b) [Adrian 2009].
Figure 2.3(a) ComDlg32 recently opened/saved files [Adrian 2009]
36
Figure 2.3 (b) ComDlg32 recently opened/saved folders [Adrian 2009]
2.4 Recent Documents
The Location
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
maintains list of files recently executed or opened through Windows Explorer [Adrian 2009].
The key contains files that are recently opened and the corresponding folders. These files/folders
are organized according to file extension under respective subkeys as shown in Figure 2.4.
37
Figure 2.4 Recent Documents
2.5 User Assist Key
The UserAssist key
HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist has subkeys with long
hexadecimal globally unique identifiers (GUIDs) [Adrian 2009]. The values of the subkeys are
the programs and applications accessed on the system such as Control Panel, applets, etc. Figure
2.5(a) shows the subkeys.
38
Figure 2.5(a) User Assist keys [Adrian 2009]
These values within the subkeys are encoded using ROT-13 encryption algorithm. This
encryption technique is much faster and easier to decipher with the use of an online ROT-13
decoder. Figure 2.5(b) shows the decoded text of the notepad key.
39
Figure 2.5(b) ROT-13 Decoder [Adrian 2009]
2.6 Last key edited by regedit
The Location
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\
Regedit gives the key that was recently edited via regedit [Adrian 2009]. Figure 2.6 displays the
last key edited in the regedit tool.
40
Figure 2.6 Last Edited Key [Adrian 2009]
2.7 Last logged on user
The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
key provides the details of the user who has recently logged into the system [Adrian 2009].
41
Figure2.7 Last Logged on user [Adrian 2009]
2.8 List of Installed USB devices, both connected and unconnected
The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB key lists USB
devices connected to the system[Adrian 2009]. It gives the device’s vendor and serial number as
shown in Figure 2.8
42
Figure2.8 USB Devices [Adrian 2009]
2.9 List of installed USB storage devices
The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR key
contains the installed USB devices entries for USB storage [Adrian 2009]. It stores the contents
of the product and device ID values of any USB device that was connected to the system as
shown in Figure 2.9.
43
Figure2.9 USB Storage Devices [Adrian 2009]
2.10 Mounted Devices
Drives associated with the system are found in HKLM\SYSTEM\MountedDevices and it
stores a database of mounted volumes that is used by the NTFS file system [Adrian 2009]. The
binary data for each \DosDevices\x: value contains information for identifying each volume as
demonstrated in Figure 2.10
.
44
Figure2.10 Mounted Devices [Adrian 2009]
2.11 Wireless Networks
Wireless networks are more popular and important areas of research.
When the system connects to a wireless network, the SSID is stored within the registry as a
preferred network connection. The profiles of all the network connections are stored in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Profiles
45
[Adrian 2009] Key with the SSID’s as shown in Figure
2.11(a).
Figure 2.11(a) The network List [Adrian 2009]
The network name and the other details are found within the subkeys as shown in Figure
2.11(b).
46
Figure 2.11(b) The network Profiles[Adrian 2009]
In addition to logging the name of the SSID, The registry also stored the network settings
of that particular connection such as the IP address, DHCP domain, subnet mask, etc.
The Registry key in which this can be found is HKLM\SYSTEM\ControlSet001\
Services\Tcpip\Parameters\Interfaces\, which is illustrated in Figure 2.11(c).
47
Figure 2.11(c) The network Settings [Adrian 2009]
2.12 Internet Explorer
Internet Explorer is the native web browser in Windows operating systems. The registry
is utilized to store its data in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
key [Adrian 2009] as shown in Figure 2.12(a).
48
Figure 2.12(a) Internet Explorer key[Adrian 2009]
The HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls
key gives the websites that have been visted as illustrated in Figure 2.12(b).
49
Figure2.12(b) Internet Explorer Typed URLs[Adrian 2009]
The HKCU\Software\Microsoft\Internet Explorer\Main [Adrian 2009] stores the user’s settings
in the Internet Explorer like the search bars, start page etc as shown in Figure 2.12(c).
50
Figure2.12(c) Internet Explorer Settings [Adrian 2009]
2.13 Available Registry Forensics Tools
There are several open & closed source registry forensics tools available online to make
the job of a forensics examiner easy. Following is the description and features of some of the
most popularly used tools.
2.13.1 RegRipper
RegRipper is the fastest, easiest and the best tool used by examiners for registry analysis
and is written in Perl. This tool is specifically designed for Windows 2000, XP, and 2003 hive
files. It does not use live hive files but uses hive files extracted from a case or an FTK imager.
RegRipper data extraction and correlation tool which outputs the registry in a readable
form. It makes use of the plug-ins to access a registry key and to extract the values and data
51
types. It also allows filtering of the output based on the path of a registry hive and its data type.
Figure 2.13 displays the interface of RegRipper 2.0 with the results obtained from a registry
hive.
Figure 2.13 RegRipper [Kein 2008]
2.13.2 RegLookUp
RegLookup is command line utility which allows users to read and query registries of
windows NT and higher versions. It is implemented in ANSI C. It is a tool designed for reading
the complete registry and the result is in a standardized format. It filters the results by the path of
the registry hive and its data type. Figure 2.14 displays the RegLookup output in a standard
form.
52
Figure 2.14 RegLookUp [Sentinel 2008]
2.13.3 Registry Registrar Manager
Registrar Registry Manager provides a complete solution to forensics examiners. It also
provides backing up the entire registry & restoring it, fast searches, adding descriptions to the
keys, and detailed pages. The additional features of this tool are registry defragment, registry
monitor and security editor which manages access restrictions on specific keys. Figure 2.15
displays the registry registrar manager window with the selected hive, its description and its
contents.
53
Figure 2.15 Registry Registrar Manager [Replendence 2010]
2.13.4 FTK Registry Viewer
Registry Viewer is a tool that provides users to view the contents of the registries and
access the encrypted protected storage of the registry that includes important information such as
passwords, usernames and information that cannot be accessed by regedit. It allows extracting
and reporting important registry information. The content of the hives can be displayed with the
Full Registry view while only the portion of the registry where important data resides is
displayed with the Common Areas view. Report can be generated from the views by selecting
the keys. The Key Properties viewer and Hexadecimal viewer are the two detailed sections of the
views. Values associated with the keys are displayed by the Key Properties while hexadecimal
format of the values are displayed in the hex viewer. The “protected storage system provider”
54
key contains passwords from Microsoft outlook and website saved passwords. It can be accessed
by registry viewer [Access 2010].
Searching
The find functionality allows quick search for keys, values and data. There are three
kinds of searches that search the live registry. Usual search, Advanced search and search by date
when the key was last modified. Advanced search allows searching keys with specific texts and
generating report using the results. Figure 2.16 displays the search windows of the registry
viewer while Figure 2.17 shows the advanced search window
Figure 2.16 Search Window [Access 2010]
55
Figure 2.17 Advanced Search Window [Access 2010]
Reporting
Reports can be generated in HTML format and can be printed when the Registry keys are
added to the report view. The report contains file-type information of the selected key. The file
types are related to the filename extensions and the programs that execute these files. The report
that contains users in the SAM subkey is used as a reference to compare with other reports
containing the SAM key known as a summary report as illustrated in Figure 2.18
56
Figure 2.18 Summary report of registry viewer [Access 2010]
57
3. PROPOSED SYSTEM DESIGN:
WIRECHADE
The traditional registry forensics tools lacked the feature which allows users to determine the
changes made in the registry file which is the most significant information a forensics
investigator needs. To know the changed value of a registry key an investigator needs to back up
the entire registry and compare it with the current registry. If there is a simple interface that
displays the changes made in the registry keys along with the current and previous values, it
saves a lot of time and work of an investigator.
3.1 WIRECHADE
The Objective of the tool that I developed is to allow forensics Investigators to view the
changes made in the Registry Keys. The tool introduces a new feature that has never been
implemented in the available tools. It is designed in C# programming language with Visual
Studio 2008 using .Net Framework 3.5. The following is the description of the functionalities of
the tool.
• The Configuration feature allows selection or configuration of keys and subkeys to be
reviewed or observed
• The Job Schedule allows selection of days and time during which the tool scans the
registry keys to detect the changes made.
• Once the selection is made the Log file displays the changes made in the registry values
58
• It also stores the previous registry structure even if no values were established within
such entry registration.
3.2 Namespace
The namespace used in C# using .NET framework to obtain access to the manipulation
tools of the registry is “Using Microsoft.Win32” Access to the elements of registry control
can also be obtained using this name space. Following are the two main classes included in
the namespace.
3.2.1 Registry Class
The Registry class is used to represent the main seven subnodes of the registry that are to
be accessed and manipulated. In the Visual Studio.NET and the namespace provides seven
nodes.
• Registry.ClassesRoot has HKEY_CLASSES_ROOT as its registry value and assigns work
to the shell in handling various formats of the files.
• Registry.CurrentConfig has HKEY_CURRENT_CONFIG as its registry value and
provides the configuration of the present session.
• Registry.CurrentUser has HKEY_CURRENT_USER as its registry value and provides the
current user profile.
• Registry.DynData contains HKEY_DYN_DATA which provide configuration data of
dynamic memory
59
• Registry.LocalMachine contains HKEY_LOCAL_MACHINE provides system
configuration information
• Registry.PerformanceData contains HKEY_PERFORMANCE_DATA which provides
performance details of the applications
• Registry.Users has HKEY_USERS which provides a database containing user settings.
3.2.2 RegistryKeyClass
The most important class used for manipulating the registry in C# is the RegistryKey
class. Several methods are available in the class which either produce data or delete the data.
• OpenSubKey() is a method in the class that is used to manipulate the first subkey
of a registry key.
• The methods used to manipulate subkeys are DeteleSubKey() or CreateSubKey().
• GetSubKeyNames() provide names of all the subkeys under a given registry key
• GetValue() extracts the value present in the registry key
3.2 Classes of the Application
The two important classes based on which the tool is developed are the Reg Key
Manager class and the execution interval class as shown in Figure 3.1
60
Figure 3.1 Classes of the application
The RegKeyManager class is the main class responsible for saving and loading a backup of
the complete state of the record, this backup is done periodically as configured in the "Job
Schedule". The most important function of this class is the review and search for differences
between the backup log and the new backup registration charge. The function that performs this
action is called Checkdiff (pathToFileBackup).
The Execution Interval class is the class which accepts the entered parameters of time in
minutes. It then saves the time and calculates parameters of the next execution of the process.
61
3.2 Data Tables
The tool uses each Data table in an xml file. For instance in the ControSubKey.Xml the
ControlSubKey represents the file. The contents of each file is shown in Figure 3.2
�
Figure 3.2 Data Tables
The ControlSubkey.xml saves the configuration and selection of log records to review or
analyze. SubKey.xml and Values.xml are related and store the backup of the registry entries.
3.3 User Interfaces
Once the tool is executed the Icon appears as a notification icon in the taskbar. The icon
displays a menu when clicked. The options available in the menu are View Log, Clear Log, Job
Schedule, Configuration and exit. Configuration allows selecting the keys while job schedule
allows specifying the days and time during which the selected keys are monitored. The View
62
Log key displays the result in the grid and clear log clears the entire log. The menu is displayed
in Figure 3.3
Figure 3.3 The Icon menu
63
The Configuration Window allows users to select the registry hives to be monitored. It
allows users to select either the entire registry hive or specific subkeys that provide important
information. The selected keys or subkeys will be consistently monitored from the period
specified and any modifications made to the values will be displayed. The left pane of the
window contains the registry of the local machine and the right pane of the window contains the
selected keys and subkeys. Figure 3.4 displays the selected HKEY_CURRENT_USER key and
the HKEY_CLASSES_ROOT.�
Figure 3.4 Configuration Window
64
The Job Schedule Window allows users to select one or more days of a week during
while the tool scans the selected registry keys. It also allows users to specify the start time from
which the scan begins. The tool scans once in every specified minute. For instance if the minutes
specified are 2 minutes, then the tool scans the keys once in every 2 minutes. Figure 3.5 shows
the Job Schedule Window.
Figure 3.5 Job Schedule Window
The View Log grid displays the modifications made in the selected registry keys. It
displays the previous value as well as the currently changed value. The columns of the grid
display the subkey, the time when the registry value has been changed, the description of the
65
changes made, the old and the new values. Figure 3.6 shows the log grid that displays the
modified values of the registry keys.
Figure 3.6 Log Window
66
4. TESTING AND EVALUATION
The Following are the test cases that use detailed procedures to test the working and
features of the application.
4.1 Test Case 1: Extracting the Registry
The registry tool extracts the entire registry of the local machine on which it is executed.
The Figure 4.1 displays the registry subkeys of the hive
HKEY_CURRENT_USER\software\microsoft
such as visual studio, VBA, Office and so on. Regedit is used to view the registry of the local
machine.
4.1 Registry of the local machine
67
When the application is started on the same machine it extracts the registry subkeys visual
studio, VBA and Office as displayed in the left pane of the configuration window as shown in
Figure 4.2.
Figure 4.2 Registry Extraction
4.2 Test Case 2: Selecting the keys The configuration window allows users to select the entire hive or the subkeys within the
hive as shown in Figure 4.3. The Figure shows the subkey
HKEY_CURRENT_USER\software\microsoft\Internet Explorer\TypedURL being selected and
added in the right pane which is the detailed pane of the configuration window.
68
Figure 4.3 selecting the keys
4.3 Test Case 3: Changing a Registry Value
The test case has been implemented by changing the value name and the value of the
registry subkey HKEY_CURRENT_USER\software\microsoft\Internet
Explorer\TypedURLs\valor. The subkeys that do not degrade the system performance have been
selected for testing purposes. The current value of the subkey is “7777777777” with the value
name “valor” as displayed in the Figure 4.4
69
Figure 4.4 Current value
The current value of the subkey HKEY_CURRENT_USER\software\microsoft\Internet
Explorer\TypedURLs\valor has been changed from the string “77777777” to “111” as shown in
the Figure 4.5
70
Figure 4.5 Changed Value
The Program when executed displays the results in the View Log windows. The 5th row
of the grid shows the modification. The current value is entered into the column old value and
the changed value is entered into the new value as illustrated in the log grid in the Figure 4.6
71
Figure 4.6 Display change
4.4 Test Case 4: Deleting a value
The current value of the subkey HKEY_CURRENT_USER\software\microsoft\Internet
Explorer\TypedURLs\valor1 is the string “wwwwwwww” as shown in the Figure 4.7
72
Figure 4.7 Current Value
After deleting the value the results are displayed in the 6th row of the Log grid as
displayed in Figure 4.8.
Figure 4.8 Display delete
73
4.5 Test Case 5: Inserting a Value
The current value of the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\TypedURLs\valor4 is null and the string “ooo” is inserted as shown in the Figure 4.9(a)
and 4.9(b).
4.9(a) Null value
74
Figure 4.9(b) Inserting a value
The result is shown in the last row of the Log grid for the subkey
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs\valor4 in
the Figure 4.10.
75
Figure 4.10 Display Insert
76
5. CONCLUSION
With the increasing use of computers in the organizations, understanding the
complications of the registry is crucial for a forensics investigator. The evidence provided in the
registry is the most significant source of any investigation. The actions performed on the
computer gives the examiner an insight of the system. The paper describes the important
locations relevant to a forensics examination and the data found within them. It describes the
most popular registry forensics tools available today and their features. The Windows Registry
change detection forensics tool I implemented allows forensics investigator to view the changes
made in the Registry. It overcomes the lack of detecting changes and displaying the previous
values of a modified registry key in the existing forensics tools. The test cases are generated to
test the features of the tool which include extraction of the registry, Selection of the keys to be
monitored, detection of a changed value of registry key, detection of an inserted value in a key
and detection of a deleted value of a key. The testing has been performed on the
HKEY_CURRENT_USER\software\microsoft\Internet Explorer\TypedURL subkey as it does not
affect the system performance.
As the popularity of the registry forensics grows, more and more advanced tools will be
developed to save the time and work of forensics investigators. The tool I developed scans the
hives HKEY_CURRENT_USER, HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE. The
tool can be enhanced by including the HKEY_CURRENT_CONFIG and
HKEY_PERFORMANCE_DATA.
77
5. BIBLIOGRAPHY
[Drew 2008] Drew Pilot, The History of the Windows Registry. UnArchived Articles. Apr 26,
2008 (Visited Jan 30,2010)
[Joan 2010] Joan Bard., The Windows Registry. Microsoft technet 2010. Available
http://technet.microsoft.com/en-us/library/cc751049.aspx#mainSection (Visited Jan 20, 2010)
[MS 2008] Microsoft Support., Windows Registry information for Advanced user . Microsoft
Support 2008 Published Q256986
[Herong 2008] Dr. Herong Yang., Registry Hives - HKCR, HKCU, HKLM, HKU, HKCC, and
HKPD., Windows tutorials 2008.
[EDS 2010] Easy Desk Software. , Windows Registry Files and Where to Find Them .Home of
the Windows Registry Experts. 2010.
[Joan 2010] Joan Bard., Windows 95 Registry Overview. Microsoft technet 2010. Available
http://technet.microsoft.com/en-us/library/cc751122.aspx.
[Joan 2010] Joan Bard., Windows 98 Registry. Microsoft technet 2010. Available
http://technet.microsoft.com/en-us/library/cc768201.aspx. (Visited Jan 20, 2010)
[Joan 2010] Joan Bard., Windows NT registry, Microsoft technet 2010. Available
http://www.microsoft.com/resources/documentation/windowsnt/4/server/proddocs/en-
us/concept/xcpaa.mspx?mfr=true (Visited Jan 20, 2010)
[Joan 2010] Joan Bard., Microsoft Windows 2000 Scripting Guide Microsoft technet 2010.
Available http://technet.microsoft.com/en-us/library/ee176771.aspx (Visited Jan 20, 2010)
78
[Daniel 2009] Daniel Petri., Before you Begin. Petri IT Knowledge 2009. Available
http://www.petri.co.il/before_you_begin.htm (Visited Jan 20, 2010)
[Mike 2004] Mike D., Beginners Guides: The Registry: Backups, Repairs, and Protection.,
PCstats 2004. Available http://www.pcstats.com/articleview.cfm?articleid=263&page=1 (Visited
Jan 20, 2010)
[Guy 2010] Guy Thomas., Editing the Windows Vista Registry with Regedit. Computer
Performance 2010. Available http://computerperformance.co.uk/vista/vista_registry.htm (Visited
Jan 20, 2010)
[Paul 2009] Paul McFedries., Microsoft Windows 7 (1st Edition)[on-line] August 2009.Available
http://mcfedries.com/Windows7Unleashed/chapter12.pdf (Visited May 12, 2010)
[Edward 2010] Edward Mendelson., Registry Workshop. PC Magazine 2010.Available
http://www.pcmag.com/article2/0,2817,2360098,00.asp (Visited Jan 20, 2010)
�[Farmer 2007] Farmer, D. J. A Forensic Analysis of the Windows Registry. Forensic Focus 2007.
Available http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry (Visited
Jan 20, 2010)
[Kein 2008] Kein Kommentar, RegRipper In newer Version April 2008. (Visited Oct 15, 2010)
[Sentinel 2008] Sentinel Chicken Networks., RegLookup. 2008. Available
http://projects.sentinelchicken.org/reglookup/ (Visited Oct 15, 2010)
79
[Replendence 2010] Resplendence Software Projects., Registry Registrar Manager, Advanced
Registry Tool Suite. July 2010. Available http://www.resplendence.com/registrar (Visited Oct 15,
2010)
[Access 2010 ]Access Data., Registry Viewer, 2010 Available
http://www.accessdata.com/media/en_us/print/techdocs/Registry%20Viewer.pdf (Visited Oct
15, 2010)
80
APPENDIX A
The following are the class files used to build the application
RegKeyManager.cs
using System; using System.Collections.Generic; using System.Text; using Microsoft.Win32; using System.Data; using System.IO; using System.Threading; using Com.StellmanGreene.CSVReader; namespace RegistryObserver { public class RegKeyManager { //RegistryTraversal recTrans=new RegistryTraversal (); private RegistryKey parentKey; public RegistryKey ParentKey { get { return parentKey; } set { parentKey = value; } } DbRegedit writeRegedit = new DbRegedit(); DbRegedit readRegedit = new DbRegedit(); public void MakeBackup(string path) { char[] caracter = new char[]{ Convert.ToChar (92) }; if(File.Exists (@"backup\" + path)) { //writeRegedit.SubKey.ReadXml (@"backup\" + path); //writeRegedit.Values.ReadXml (@"backup\value" + path); writeRegedit.Values.Clear();
81
writeRegedit.SubKey.Clear(); } writeRegedit.ControlSubKeys.ReadXml("ControlSubKeys.xml"); foreach (DbRegedit.ControlSubKeysRow i in writeRegedit.ControlSubKeys.Rows) { string[] tmp = i.Name.Split(caracter); RegistryKey local = this.parentKey; local = local.OpenSubKey(tmp[tmp.Length - 1], true); if (local !=null) { row = writeRegedit.SubKey.AddSubKeyRow(i.Name); foreach (string val in local.GetValueNames()) writeRegedit.Values.AddValuesRow( val,row, local.GetValue(val)); } local = this.parentKey; int index = i.Name.IndexOf (@"\"); string value = i.Name.Substring(index+1); local = local.OpenSubKey(value, true); recorrer(local); } writeRegedit.SubKey.WriteXml (@"backup\" + path); writeRegedit.Values.WriteXml (@"backup\value" + path); } DbRegedit.SubKeyRow row; private void recorrer(RegistryKey SubKey) { try { if (SubKey.GetSubKeyNames().Length > 0) { foreach (string sub in SubKey.GetSubKeyNames()) { RegistryKey local = this.parentKey; local = SubKey.OpenSubKey(sub, true); row = writeRegedit.SubKey.AddSubKeyRow(local.Name); foreach (string val in local.GetValueNames()) writeRegedit.Values.AddValuesRow(val, row,local.GetValue(val));
82
recorrer(local); local.Close(); } } //else //{ // foreach (string val in SubKey.GetValueNames()) // writeRegedit.Values.AddValuesRow(val, row, SubKey.GetValue(val).ToString ()); //} } catch { } } private void LoadBackup(string path) { try { if (File.Exists(@"backup\" + path)) { readRegedit.SubKey.ReadXml(@"backup\" + path); readRegedit.Values.ReadXml(@"backup\value" + path); } } catch { readRegedit.SubKey.Clear(); readRegedit.Values.Clear(); } } CSVWriter writer = new CSVWriter(); DbRegedit.LogDataTable tmpLog = new DbRegedit.LogDataTable(); public void CheckDiff(string path) { //StreamWriter writer = new StreamWriter("RegeditLog.txt",true); //if (File.Exists("RegeditLog.csv")) //{ // if (tmpLog.Count == 0) // {
83
// DataTable tmpTable = CSVReader.ReadCSVFile("RegeditLog.csv", true); ; // foreach (DataRow row in tmpTable.Rows) // tmpLog.AddLogRow((DateTime)row["Time"], (String)row["Description"] , row["OldValue"] as object , row["NewValue"] as object , (string)row["SubKey"], (string)row["Value"]); // } //} //writer.WriteLine("Start Check Now: " + DateTime.Now); //writer.Flush(); LoadBackup(path); MakeBackup(path); int i = 0; try { foreach (DbRegedit.SubKeyRow x in readRegedit.SubKey.Rows) { DbRegedit.SubKeyRow y = (DbRegedit.SubKeyRow)writeRegedit.SubKey.Rows[i]; if (x.Name.ToString() == y.Name.ToString()) { DbRegedit.ValuesRow[] tmp1 = (DbRegedit.ValuesRow[])x.GetChildRows("SubSubKey_Values"); DbRegedit.ValuesRow[] tmp2 = (DbRegedit.ValuesRow[])y.GetChildRows("SubSubKey_Values"); int j = 0; if (tmp1.Length != tmp2.Length) { //writer.WriteLine(DateTime.Now + ">Change number of entries values:" + x.Name); //writer.Flush(); tmpLog.AddLogRow (DateTime.Now ,"Change number of entries values",DBNull.Value,DBNull.Value ,x.Name ,"" ); break; } foreach (DbRegedit.ValuesRow valor1 in tmp1) { DbRegedit.ValuesRow valor2 = (DbRegedit.ValuesRow)tmp2[j];
84
if (valor1.Value.ToString () != valor2.Value.ToString()) { //writer.WriteLine(DateTime.Now + ">Value:" + valor1.IdValue + " Current value: [" + valor2.Value + "] Previous value: [" + valor1.Value + "] on Subkey:" + x.Name ); //writer.Flush(); tmpLog.AddLogRow (DateTime.Now,"Change Value",valor1.Value ,valor2.Value ,x.Name ,valor1.IdValue ); } j++; } } else { //loguear el suceso, estructuras de registro diferentes //writer.WriteLine(DateTime.Now + ">change structure on entry:" + x.Name + "or now is not selected"); //writer.Flush(); tmpLog.AddLogRow(DateTime.Now, "Change structure on entry or entry not selected", DBNull.Value, DBNull.Value, x.Name, ""); break; } i++; } //writer.WriteLine("Procees finished: " + DateTime.Now); //writer.Flush(); //writer.Close(); } catch (Exception ex) { //writer.WriteLine(DateTime.Now + ">Fatal error Application:" + ex.Message); //writer.Flush(); tmpLog.AddLogRow(DateTime.Now, "Fatal Error: " + ex.Message , DBNull.Value, DBNull.Value, "", ""); } if (File.Exists("RegeditLog.csv")) writer.CreateCSVFile(tmpLog, "RegeditLog.csv",true ); else writer.CreateCSVFile(tmpLog, "RegeditLog.csv", false); } } } ExecutionInterval.cs
using System;
85
using System.Xml.Serialization; using System.Xml; namespace ProgrammerTime { /* Implements an interface to configure execution interval's. */ public class ExecutionInterval { /* If greater than zero indicates to execute every N minutes. */ [XmlAttribute("every")] public int every; /* If non-negative, indicates to execute after/at an specific time. */ [XmlAttribute("at")] public int at; /* Indicates to execute on a system event. */ [XmlAttribute("onPowerModeChanged")] public bool onPowerModeChanged; [XmlAttribute("onSessionEnded")] public bool onSessionEnded; /* Set execution restriction to specific days. */ [XmlAttribute("days")] public bool[] days; /* Constructor. */ public ExecutionInterval () { /* Reset attributes. */ this.every = 0; this.at = -1; this.onPowerModeChanged = this.onSessionEnded = false; this.days = new bool[7]; } /* Sets the interval to every N minutes. */ public void enableExecuteEvery (int n) { /* Set the "every" attribute. */ this.every = n >= 1 ? n : 0; } /* Disables the interval of every N minutes. */ public void disableExecuteEvery ()
86
{ this.every = 0; } /* Sets the interval to an specific time. */ public void enableExecuteAt (int hour, int minutes) { /* Convert to minutes and store. */ this.at = hour * 60 + minutes; } /* Returns true if the interval attrs are not set. */ public bool intervalNotSet () { /* Check if interval is enabled. */ return this.every <= 0 && this.at < 0; } /* Returns the next cycle's time and date. */ public DateTime calculateNextCycle (DateTime reference) { /* Check if interval is enabled. */ if (intervalNotSet ()) return DateTime.Now.AddDays (-1); /* Indicates if we're restricting days. */ bool daysRestricted = false; /* Find out if we're restricting days. */ foreach (bool dayEnabled in this.days) { if (dayEnabled) { daysRestricted = true; break; } } /* Target time and date. */ TimeSpan s1 = new TimeSpan (); TimeSpan s2 = new TimeSpan (); /* If greater than zero indicates to execute every N minutes. */ if (this.every > 0) s1 = s1.Add (TimeSpan.FromMinutes (this.every)); /* If non-negative, indicates to execute at an specific time. */
87
if (this.at >= 0) s2 = s2.Add (new TimeSpan ((int)(this.at / 60), (int)(this.at % 60), 0)); /* Build two references. */ DateTime r1 = DateTime.Parse (reference.ToString ()); DateTime r2 = new DateTime (reference.Year, reference.Month, reference.Day, 0, 0, 0); /* The two options. */ DateTime t1 = new DateTime (); DateTime t2 = new DateTime (); /* Ensure that the time is after now. */ while (true && this.every > 0) { /* Get reference-based time. */ t1 = r1.Add (s1); /* Check if the time is right. */ if (t1 >= DateTime.Now && (daysRestricted ? this.days[(int)t1.DayOfWeek] : true)) break; /* Move the reference. */ r1 = r1.AddMinutes (this.every); } /* If only every-n defined, return. */ if (this.every > 0 && this.at <= -1) return t1; /* Ensure that the time is after now. */ while (true && this.at >= 0) { /* Get reference-based time. */ t2 = r2.Add (s2); /* Check if the time is right. */ if (t2 >= DateTime.Now && (daysRestricted ? this.days[(int)t2.DayOfWeek] : true)) break; /* Move the reference. */ r2 = r2.AddDays (1); } /* If only at-x defined, return. */
88
if (this.every <= 0 && this.at >= 0) return t2; /* Return nearest date. */ return t1 < t2 ? t1 : t2; } } }
Configuration.cs
using System; using System.Drawing; using System.Windows.Forms; using Microsoft.Win32; using ProgrammerTime; using System.IO; namespace RegistryObserver { /// <summary> /// Description of Configuration. /// </summary> public partial class frmConfiguration : Form { public frmConfiguration() { // // The InitializeComponent() call is required for Windows Forms designer support. // InitializeComponent(); // // TODO: Add constructor code after the InitializeComponent() call. // } RegistryKey OurKey = null; private void GetSubKeys(RegistryKey SubKey, TreeNode parent) { try
89
{ TreeNode tmp; foreach (string sub in SubKey.GetSubKeyNames()) { RegistryKey local = OurKey; local = SubKey.OpenSubKey(sub, true); tmp = parent.Nodes.Add(local.Name, sub); GetSubKeys(local, tmp); local.Close(); } } catch(Exception ex) { // MessageBox.Show(ex.Message); } } void ConfigurationLoad(object sender, EventArgs e) { //This is how we call the recursive function GetSubKeys OurKey = Registry.CurrentUser; //OurKey = OurKey.OpenSubKey(@".DEFAULT\test",true); TreeNode tmp = treeView1.Nodes.Add ("CurrentUsers"); GetSubKeys(OurKey,tmp); //LoadXml("ControlSubKeys.xml"); //This is how we call the recursive function GetSubKeys OurKey = Registry.LocalMachine; //OurKey = OurKey.OpenSubKey(@".DEFAULT\test",true); tmp = treeView1.Nodes.Add("LocalMachine"); GetSubKeys(OurKey, tmp); //LoadXml("ControlSubKeys.xml"); //This is how we call the recursive function GetSubKeys OurKey = Registry.ClassesRoot; //OurKey = OurKey.OpenSubKey(@".DEFAULT\test",true); tmp = treeView1.Nodes.Add("ClassesRoot"); GetSubKeys(OurKey, tmp); LoadXml("ControlSubKeys.xml"); } private void treeView1_DoubleClick(object sender, EventArgs e) { if (checkedListBox1.FindStringExact(treeView1.SelectedNode.Name) == -1) checkedListBox1.Items.Add(treeView1.SelectedNode.Name,true );
90
} private void checkedListBox1_KeyPress(object sender, KeyPressEventArgs e) { if (e.KeyChar == 8) { checkedListBox1.Items.Remove(checkedListBox1.SelectedItem ); } } private void clearToolStripMenuItem_Click(object sender, EventArgs e) { checkedListBox1.Items.Clear(); } private void LoadXml(string pathtofile) { if (File.Exists(pathtofile)) { dbRegedit1.ReadXml(pathtofile); checkedListBox1.Items.Clear(); foreach (DbRegedit.ControlSubKeysRow x in dbRegedit1.ControlSubKeys.Rows) checkedListBox1.Items.Add(x.Name , x.Status); } } private void SaveXml(string pathtofile) { dbRegedit1.ControlSubKeys.Clear(); foreach (var x in checkedListBox1.Items) { dbRegedit1.ControlSubKeys.AddControlSubKeysRow (x.ToString(), true); } dbRegedit1.WriteXml(pathtofile); } private void Configuration_FormClosing(object sender, FormClosingEventArgs e) { SaveXml("ControlSubKeys.xml"); } } }
91
JobSchedule.cs using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; using System.IO; using ProgrammerTime; using System.Xml.Serialization; namespace RegistryObserver { public partial class frmJobSchedule : Form { public frmJobSchedule() { InitializeComponent(); } XmlSerializer SerializerObj = new XmlSerializer(typeof(ExecutionInterval)); ExecutionInterval interval = new ExecutionInterval(); private void frmJobSchedule_Load(object sender, EventArgs e) { if (File.Exists("Config.xml")) { FileStream ReadFileStream = new FileStream("Config.xml", FileMode.Open, FileAccess.Read, FileShare.Read); ExecutionInterval interval = (ExecutionInterval)SerializerObj.Deserialize(ReadFileStream); ReadFileStream.Close(); numericUpDown1.Value = interval.every; TimeSpan x = new TimeSpan(interval.at / 60, interval.at % 60, 0); maskedTextBox1.Text = x.Hours.ToString().PadLeft (2,'0') + ":" + x.Minutes.ToString().PadLeft (2,'0'); checkedListBox1.SetItemChecked(0, interval.days[0]); checkedListBox1.SetItemChecked(1, interval.days[1]); checkedListBox1.SetItemChecked(2, interval.days[2]); checkedListBox1.SetItemChecked(3, interval.days[3]); checkedListBox1.SetItemChecked(4, interval.days[4]); checkedListBox1.SetItemChecked(5, interval.days[5]); checkedListBox1.SetItemChecked(6, interval.days[6]);
92
} } private void saveXml() { TextWriter WriteFileStream = new StreamWriter("Config.xml"); DateTime x = Convert.ToDateTime(maskedTextBox1.Text); interval.enableExecuteAt(x.Hour ,x.Minute ); interval.enableExecuteEvery((int)numericUpDown1.Value); interval.days[0] = checkedListBox1.GetItemChecked(0); interval.days[1] = checkedListBox1.GetItemChecked(1); interval.days[2] = checkedListBox1.GetItemChecked(2); interval.days[3] = checkedListBox1.GetItemChecked(3); interval.days[4] = checkedListBox1.GetItemChecked(4); interval.days[5] = checkedListBox1.GetItemChecked(5); interval.days[6] = checkedListBox1.GetItemChecked(6); SerializerObj.Serialize(WriteFileStream, interval); WriteFileStream.Close(); } private void frmJobSchedule_FormClosing(object sender, FormClosingEventArgs e) { try { saveXml(); } catch (Exception ex) { MessageBox.Show(ex.Message); } } } }
93
ViewLog.cs using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; using System.IO; using Com.StellmanGreene.CSVReader; namespace RegistryObserver { public partial class frmViewLog : Form { public frmViewLog() { InitializeComponent(); } private void timer1_Tick(object sender, EventArgs e) { try { //txtLog.Text = Read("RegeditLog.txt"); dataGridView1.DataSource = CSVReader.ReadCSVFile("RegeditLog.csv",true); } catch { } } //private string Read(string file) //{ // if (File.Exists(file)) // { // StreamReader reader = new StreamReader(file); // string data = reader.ReadToEnd(); // reader.Close(); // return data; // } // return "";
94
//} private void frmViewLog_Load(object sender, EventArgs e) { timer1.Enabled = true; } private void frmViewLog_FormClosing(object sender, FormClosingEventArgs e) { timer1.Enabled = false; } } }