CSc 116 - Summer 2017- 3 - Part 1 - Windows Registryathena.ecs.csus.edu/~cookd/116/notes/CSc 116 - Summer 2018 - 3 - … · Windows 9x Registry In Windows XP, Microsoft expanded the

1

Windows

Registry

Week 3 – Part 1

Windows

Registry

A great source of evidence

… and headaches

Collection of files that, together, form all the settings needed by

applications and the operating system

The Registry stores:

• hardware info – ports, disk, etc…

• user information and preferences

• application settings

• … and more

7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3

What is the Registry?

The registry can be searched,

and tons of information can be obtained about the user

and computer

This includes values but

time/dates when the data was

created


A Wealth of Evidence

Devices that were connected

to the system

User names and accounts

Personal settings and

browser preferences

Web browsing activity

Most recently used files

Programs used7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 5

Some Evidence that Can Be Recovered

The “registry” was debuted in Windows 95

However, the idea has a long evolution

from Windows 3.1 and DOS

Windows 3.1 and DOS use “INI” files

• text files with an easy to read/edit format

• applications often had their own separate files

• these were often stored in the c:\windows folder or elsewhere on the hard drive


Registry History: Windows 3.1

2

[Course]

ID=csc116

Name=Cyber Forensics

Instructor=Devin Cook

; Comments start with a semicolon

[Location]

Building=Riverside Hall

Room=1008


INI File Example

Key & Value

Section Windows 3.1 has two main INI files

• SYSTEM.INI – hardware, drivers, etc…

• WIN.INI – desktop, applications, etc..

Had a precursor to the modern Registry called REG.DAT which contained:

• Object Linking Embedding (OLE) data

• associated file types with applications


Registry History: Windows 3.1

Problems arose:

• proliferation of INI files all over the computer

• slow access – entire text file had to be loaded

• lack of network support

• did not allow multiple user profiles

• very flat format

Modern “registry” was developed to

overcome these restrictions


Problems with 3.1

The Windows 9x/NT 3.5 Registry is

composed of a couple of different files

The files are:

• system.dat – system settings (9x, NT)

• user.dat – generic user settings (9x, NT)

• classes.dat – Utilized for program associations, context menus and file types. (ME only)


Windows 95 Approach

How does it support multiple

users?

If all utilize the same profile

• the information will all be mingled togather in the

user.dat file

• it will be difficult (if not

impossible) to separate the data


95: Multiple User Problem

Windows 9x/NT use user.dat

as a “default” account

It is copied for new profiles

In addition, each user has a

separate user.dat file

Allows support for multiple

users and to add users

without starting from scratch


95: Multiple User Solution

3

Back-up of the registry is made after each

boot

The filenames are as follows

• System.dao (95, 98, ME, NT)

• User.dao (95, 98, ME, NT)

• Rbxxx.cab (98, ME)


95: Backups

Filename Location Content

system.ini \Windows hardware, drivers, and other vital

configuration information

win.ini \Windows application settings, desktop, user

preferences. Applications often used separate .ini files


Windows 3.1 Settings


user.dat \Windows

- and -

\Windows\profiles\user

User-specific information. There is a different file for

each user plus a main default one

system.dat \Windows Protected storage area for all users, all installed programs

and their settings, system settings


Windows 9x Registry

In Windows XP, Microsoft expanded the

Registry quite considerably by adding many of the features from Windows NT

Windows NT was their high-end operating system designed to be secure and robust

Windows 95/98/ME were designed to run older software – legacy support


Windows XP


ntuser.dat \Documents and Settings\user User-specific information. Different file for each user.

Default \Windows\system32\config System settings

SAM \Windows\system32\configSecurity account management

Security \Windows\system32\config Security settings

Software \Windows\system32\configAll installed programs and their settings

System \Windows\system32\config System settings


Windows XP Registry


ntuser.dat \Users\username User-specific information. Different file for each user.

Default \Windows\system32\config System settings

SAM \Windows\system32\configSecurity account management

Security \Windows\system32\config Security settings

Software \Windows\system32\configAll installed programs and their settings

System \Windows\system32\config System settings


Windows 7/8/10 Registry

4

Registry

Logical

Design

Different files? Different versions?

How does it make sense?

The Registry is stored

differently depending on the version of Windows

However, for applications, the information is always

presented in the same format

This allowed the Registry to

evolve smoothly over time


Logical Registry Design

Data is organized into a

logical tree

Information it organized into 5

different “hives”

Some of the hives are

collections of data in other

hives – so they are "virtual"


Windows Registry Elements

Keys / Subkeys

• Defines the structure of the registry

• Similar to folders in a file system

Values – the data for each subkey

• String (REG_SZ) - Single line string value

• Binary (REG_BINARY) – Series of bytes

• DWORD (REG_DWORD) – Double word - 4 bytes

• Multi-string (REG_MULTI_SZ) - Multiple line string

• Expandable string (REG_EXPAND_SZ)


Windows Registry Elements

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG


Registry Hives

HKEY_LOCAL_MACHINE (HKLM)

• contains hardware, drivers, start-up data, services, and machine-specific application data

• most applications will store global settings here

HKEY_USERS (HKU)

• contains information about each user including their folders and user-registry file

• required to locate actual user registry file


Registry Hives

5

HKEY_CURRENT_USER (HKCU)

• once a user logs in, this key will contain the information from their registry file – ntuser.dat

• applications, that want to store user-specific data, read and write to this key

• Why? Apps don’t need to know *the* user, just the current one

• Nearly identical to HKEY_LOCAL_MACHINE


Registry Hives

HKEY_CLASS_ROOT (HKCR)• classes can be user-specific or applied to all users

• contains merged view of two hives:

• HKEY_LOCAL MACHINE\SOFTWARE\ClassesHKEY_CURRENT_USER\SOFTWARE\Classes

HKEY_CURRENT_CONFIG (HKCC)• information about how the system was booted

• contains merged view of two hives:

• HKEY_LOCAL MACHINE\SOFTWAREHKEY_LOCAL MACHINE\SYSTEM


Registry Hives: Merged Views

Security is set by Registry permissions• in Windows 2000, regedt32.exe must be used

• in Windows XP, regedit.exe can also be used.

Two basic permission available• Read Only

• Full Control

By default, only the System and Administrators:• have “full control” permissions

• can also create specific permissions


Windows Registry Security


S-1-5-21-927890586-3685698554-67682326-1005

Windows Security and Relative ID

Windows Registry uses a alphanumeric combination to identify a security group

Security ID (SID)

• identifies the computer system

• SIDs are assigned by the Domain Controller


S-1-5-21-927890586-3685698554-67682326-1005

Windows Security and Relative ID

Relative ID (RID)

• part of the SID used to identity the specific user on the computer system

• It is the last part of the SID


Dissecting a SID

S-1-5-21-927890586-3685698554-67682326-1005

SID version

Authority

Domain or Local Computer

Relative ID

6

Registry

Forensics

Some things to look for


http://marketshare.hitslink.com

Why Is Mr. Cook Obsessed with Windows?

Windows is the main operating system used on home computers

So, by a large margin, seized computers will

What is the market share?

• market share is hard to measure

• the best avenue is to look at browser usage


http://marketshare.hitslink.com

Platforms: June 2017

Approximately 90.5% use Windows

• Windows XP – 5.7%

• Windows 7 – 49.5%

• Windows 8 – 6.7%

• Windows 10 – 26.8%

Approximately 7.8% use Macintosh

Approximately 1.8% use Linux

Two native Windows Registry

editors available

• Regedt32.exe

• Regedit.exe

These were merged in

Windows XP


Editing the Windows Registry

No HARDWARE hive

• Located in HKLM (HKEY_LOCAL_MACHINE)

• Dynamic key - created at when Windows boots

No virtual hives

• HKCU (HKEY_CURRENT_USER) is actually

content in ntuser.dat

• You must search for the correct SID key under

HKEY_USERS


Difference Between Live and Offline Registry

Computer name

Dynamic disks

Install dates

Last user logged in

Mounted devices

Windows OS product key

Registered owner

Programs run automatically

System’s USB devices7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 36

Some System Info You Can Get

7

ntuser.dat (HKEY_CURRENT_USER) is a

great source of evidence

Note: everything the computer remembers

between sessions is in the registry!

So, anything that Windows remembers for

you, it also will remember for the suspect


User-Specific Evidence

All registry keys contain last

modified time-stamp

• so, you can tell what and when

• not visible with regedit

• there are tools for reading this

Registry also records alldevices that have ever been

connected to the computer


Registry Forensics

Some obtainable evidence

• IM groups, contacts, …

• Location of message history files

• Location of saved contact list files

Values are stored in REG_BINARY (bytes)

• this is actually Unicode Text

• dead giveaway is the pattern: ## 00 ## 00...


Registry: MSN Messenger


HKEY_CURRENT_USER/Software/Microsoft/MSNMessenger

Registry: MSN messenger


HKEY_CURRENT_USER/Software/Microsoft/MSNMessenger

Registry: MSN messenger

Many applications keep a list of our Most Recently Used (MRU) files

Registry location and format varies greatly between applications

So, search the registry for the following keywords:• MRU

• LRU

• Recent


Always Search for MRU

8

Applications tend to…

• read all the entries, re-sort them and then rewrite them all

• so date-stamps will often all be the same as the most recent file




HKEY_USERS\UserSID\Software\Microsoft\

Windows\CurrentVersion\Explorer\RecentDoc


Windows also keeps a MRU on files

These are the files you double-click on using explorer (the front-end GUI of Windows)

It maintains a list for every extension!

Windows uses an window called “Common Dialog” for selecting a file to open/save

This is window that pop-ups, for instance, when you click “save” in Word

This tool remembers up to the last 26 files for every file type you use• naturally, this is in the registry

• stored in REG_BINARY format

• registry format changed in Windows 7 and 10


More MRU Information


HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Explorer\ComDlg32

MRU In Windows 7


HKEY_CURRENT_USER/Software/

Microsoft/Windows/CurrentVersion/Explorer/ComDlg32

MRU In Windows 7

Some obtainable evidence

• IE auto logon and password

• IE search terms

• IE settings

• Typed URLs

• Auto-complete passwords


Registry: Internet Explorer

9


HKEY_CURRENT_USER

/Software/Microsoft/Internet Explorer/TypedURLs

Registry: Internet Explorer:Typed URLs

IntelliForm is a built-in feature of Windows

utilized by Internet Explorer

Also called “auto complete”

Allows Windows to remember fields on web

page forms

Stored in the registry under Protected

Storage System Provider


Registry: IntelliForm

Protected Storage System Provider

• only visible to the “system” account

• located in NTUSER.DAT

• \Software\Microsoft\Protected Storage System Provider

Various tools will reveal contents

• AccessData Registry Viewer

• Windows Secret Explorer

• Cain & Abel

• Protected Storage PassView




HKEY_CURRENT_USER\Software\

Microsoft\Protected Storage System Provider



HKEY_LOCAL_MACHINE\SOFTWARE\

Microsoft\Windows\CurrentVersion\App Paths

Installed Software

You can find both software that is currently installed a system

Keys are usually created with installation



Microsoft\Windows\CurrentVersion\Uninstal

Uninstalled Software

You can also determine if software was uninstalled

Keys are usually created with installation are often not deleted

10

Windows keeps track of the last user to log

into the system

You can use this:

• to determine who was on the computer last

• when this was – using Registry time stamps (should be consistent with other time stamps)

• … if they logged into Windows – a suspect may

have used a boot disk


Last Login



Microsoft\Windows NT\CurrentVersion\WinLogon

Last Login

Device

History

Yes, the Registry stores that too!

Applications can “talk” to

devices assigned volume letters such as: C:, D:, etc…

Letter is actually mapped to a piece of hardware

e.g. hard drive, CD-ROM,

USB drive, etc…


Registry: Mounted Devices

The registry contains this information and

how each letter maps to a device

So, for instance, when Microsoft Word, wants to save something to E:

• Windows looks up the letter in the Registry

• and sends it to the correct device



Windows, records all mounted devices

using a Globally Unique Identifiers (GUID)

These are hash values created by Windows

and used for almost everything

Why use them for devices?

• applications may want to talk to a specific device regardless of its letter.

• also, letters can be changed.


Globally Unique Identifiers

11


HKEY_LOCAL_MACHINE

\SYSTEM\CurrentControlSet\MountedDevices



HKEY_LOCAL_MACHINE

\SYSTEM\CurrentControlSet\MountedDevices


Windows PnP (plug and play) is notified by the port

Windows asks the device for its name, serial value, etc…

Windows then creates a unique value of the device, locates the correct driver, and updates the registry

This process is also saved in the SetupAPILog file


When a USB Device is Plugged in….

Registry also records all USB devices that

have ever been connected to the computer

This information is enumerated in its own

location in the Registry

Using time-stamps, you can tell when a

suspect USB Drive was connected

This can be used to verify timelines or show

evidence of data theft


Registry: USB Devices


HKEY_LOCAL_MACHINE

\SYSTEM\CurrentControlSet\Enum\USBSTOR

Registry: USB Device History

You can map information in "USBStor" with "MountedDevices" to find what drive letter was used

It can be a tad complicated….• fortunately, there are many tools, like

USBDeview, that can interpret the data for you and give nice reports

• however, you must understand the format for verifying these tools accuracy in Court


Registry: USB Devices

12


USBDeviewDate!
