Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
Windows
Registry
Week 3 – Part 1
Windows
Registry
A great source of evidence
… and headaches
Collection of files that, together, form all the settings needed by
applications and the operating system
The Registry stores:
• hardware info – ports, disk, etc…
• user information and preferences
• application settings
• … and more
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3
What is the Registry?
The registry can be searched,
and tons of information can be obtained about the user
and computer
This includes values but
time/dates when the data was
created
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 4
A Wealth of Evidence
Devices that were connected
to the system
User names and accounts
Personal settings and
browser preferences
Web browsing activity
Most recently used files
Programs used7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 5
Some Evidence that Can Be Recovered
The “registry” was debuted in Windows 95
However, the idea has a long evolution
from Windows 3.1 and DOS
Windows 3.1 and DOS use “INI” files
• text files with an easy to read/edit format
• applications often had their own separate files
• these were often stored in the c:\windows folder or elsewhere on the hard drive
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 6
Registry History: Windows 3.1
2
[Course]
ID=csc116
Name=Cyber Forensics
Instructor=Devin Cook
; Comments start with a semicolon
[Location]
Building=Riverside Hall
Room=1008
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 7
INI File Example
Key & Value
Section Windows 3.1 has two main INI files
• SYSTEM.INI – hardware, drivers, etc…
• WIN.INI – desktop, applications, etc..
Had a precursor to the modern Registry called REG.DAT which contained:
• Object Linking Embedding (OLE) data
• associated file types with applications
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 8
Registry History: Windows 3.1
Problems arose:
• proliferation of INI files all over the computer
• slow access – entire text file had to be loaded
• lack of network support
• did not allow multiple user profiles
• very flat format
Modern “registry” was developed to
overcome these restrictions
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 9
Problems with 3.1
The Windows 9x/NT 3.5 Registry is
composed of a couple of different files
The files are:
• system.dat – system settings (9x, NT)
• user.dat – generic user settings (9x, NT)
• classes.dat – Utilized for program associations, context menus and file types. (ME only)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 10
Windows 95 Approach
How does it support multiple
users?
If all utilize the same profile
• the information will all be mingled togather in the
user.dat file
• it will be difficult (if not
impossible) to separate the data
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 11
95: Multiple User Problem
Windows 9x/NT use user.dat
as a “default” account
It is copied for new profiles
In addition, each user has a
separate user.dat file
Allows support for multiple
users and to add users
without starting from scratch
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 12
95: Multiple User Solution
3
Back-up of the registry is made after each
boot
The filenames are as follows
• System.dao (95, 98, ME, NT)
• User.dao (95, 98, ME, NT)
• Rbxxx.cab (98, ME)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 13
95: Backups
Filename Location Content
system.ini \Windows hardware, drivers, and other vital
configuration information
win.ini \Windows application settings, desktop, user
preferences. Applications often used separate .ini files
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 14
Windows 3.1 Settings
Filename Location Content
user.dat \Windows
- and -
\Windows\profiles\user
User-specific information. There is a different file for
each user plus a main default one
system.dat \Windows Protected storage area for all users, all installed programs
and their settings, system settings
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 15
Windows 9x Registry
In Windows XP, Microsoft expanded the
Registry quite considerably by adding many of the features from Windows NT
Windows NT was their high-end operating system designed to be secure and robust
Windows 95/98/ME were designed to run older software – legacy support
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 16
Windows XP
Filename Location Content
ntuser.dat \Documents and Settings\user User-specific information. Different file for each user.
Default \Windows\system32\config System settings
SAM \Windows\system32\configSecurity account management
Security \Windows\system32\config Security settings
Software \Windows\system32\configAll installed programs and their settings
System \Windows\system32\config System settings
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 17
Windows XP Registry
Filename Location Content
ntuser.dat \Users\username User-specific information. Different file for each user.
Default \Windows\system32\config System settings
SAM \Windows\system32\configSecurity account management
Security \Windows\system32\config Security settings
Software \Windows\system32\configAll installed programs and their settings
System \Windows\system32\config System settings
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 18
Windows 7/8/10 Registry
4
Registry
Logical
Design
Different files? Different versions?
How does it make sense?
The Registry is stored
differently depending on the version of Windows
However, for applications, the information is always
presented in the same format
This allowed the Registry to
evolve smoothly over time
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 20
Logical Registry Design
Data is organized into a
logical tree
Information it organized into 5
different “hives”
Some of the hives are
collections of data in other
hives – so they are "virtual"
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 21
Windows Registry Elements
Keys / Subkeys
• Defines the structure of the registry
• Similar to folders in a file system
Values – the data for each subkey
• String (REG_SZ) - Single line string value
• Binary (REG_BINARY) – Series of bytes
• DWORD (REG_DWORD) – Double word - 4 bytes
• Multi-string (REG_MULTI_SZ) - Multiple line string
• Expandable string (REG_EXPAND_SZ)
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 22
Windows Registry Elements
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 23
Registry Hives
HKEY_LOCAL_MACHINE (HKLM)
• contains hardware, drivers, start-up data, services, and machine-specific application data
• most applications will store global settings here
HKEY_USERS (HKU)
• contains information about each user including their folders and user-registry file
• required to locate actual user registry file
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 24
Registry Hives
5
HKEY_CURRENT_USER (HKCU)
• once a user logs in, this key will contain the information from their registry file – ntuser.dat
• applications, that want to store user-specific data, read and write to this key
• Why? Apps don’t need to know *the* user, just the current one
• Nearly identical to HKEY_LOCAL_MACHINE
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 25
Registry Hives
HKEY_CLASS_ROOT (HKCR)• classes can be user-specific or applied to all users
• contains merged view of two hives:
• HKEY_LOCAL MACHINE\SOFTWARE\ClassesHKEY_CURRENT_USER\SOFTWARE\Classes
HKEY_CURRENT_CONFIG (HKCC)• information about how the system was booted
• contains merged view of two hives:
• HKEY_LOCAL MACHINE\SOFTWAREHKEY_LOCAL MACHINE\SYSTEM
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 26
Registry Hives: Merged Views
Security is set by Registry permissions• in Windows 2000, regedt32.exe must be used
• in Windows XP, regedit.exe can also be used.
Two basic permission available• Read Only
• Full Control
By default, only the System and Administrators:• have “full control” permissions
• can also create specific permissions
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 27
Windows Registry Security
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 28
S-1-5-21-927890586-3685698554-67682326-1005
Windows Security and Relative ID
Windows Registry uses a alphanumeric combination to identify a security group
Security ID (SID)
• identifies the computer system
• SIDs are assigned by the Domain Controller
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 29
S-1-5-21-927890586-3685698554-67682326-1005
Windows Security and Relative ID
Relative ID (RID)
• part of the SID used to identity the specific user on the computer system
• It is the last part of the SID
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 30
Dissecting a SID
S-1-5-21-927890586-3685698554-67682326-1005
SID version
Authority
Domain or Local Computer
Relative ID
6
Registry
Forensics
Some things to look for
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 32
http://marketshare.hitslink.com
Why Is Mr. Cook Obsessed with Windows?
Windows is the main operating system used on home computers
So, by a large margin, seized computers will
What is the market share?
• market share is hard to measure
• the best avenue is to look at browser usage
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 33
http://marketshare.hitslink.com
Platforms: June 2017
Approximately 90.5% use Windows
• Windows XP – 5.7%
• Windows 7 – 49.5%
• Windows 8 – 6.7%
• Windows 10 – 26.8%
Approximately 7.8% use Macintosh
Approximately 1.8% use Linux
Two native Windows Registry
editors available
• Regedt32.exe
• Regedit.exe
These were merged in
Windows XP
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 34
Editing the Windows Registry
No HARDWARE hive
• Located in HKLM (HKEY_LOCAL_MACHINE)
• Dynamic key - created at when Windows boots
No virtual hives
• HKCU (HKEY_CURRENT_USER) is actually
content in ntuser.dat
• You must search for the correct SID key under
HKEY_USERS
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 35
Difference Between Live and Offline Registry
Computer name
Dynamic disks
Install dates
Last user logged in
Mounted devices
Windows OS product key
Registered owner
Programs run automatically
System’s USB devices7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 36
Some System Info You Can Get
7
ntuser.dat (HKEY_CURRENT_USER) is a
great source of evidence
Note: everything the computer remembers
between sessions is in the registry!
So, anything that Windows remembers for
you, it also will remember for the suspect
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 37
User-Specific Evidence
All registry keys contain last
modified time-stamp
• so, you can tell what and when
• not visible with regedit
• there are tools for reading this
Registry also records alldevices that have ever been
connected to the computer
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 38
Registry Forensics
Some obtainable evidence
• IM groups, contacts, …
• Location of message history files
• Location of saved contact list files
Values are stored in REG_BINARY (bytes)
• this is actually Unicode Text
• dead giveaway is the pattern: ## 00 ## 00...
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 39
Registry: MSN Messenger
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 40
HKEY_CURRENT_USER/Software/Microsoft/MSNMessenger
Registry: MSN messenger
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 41
HKEY_CURRENT_USER/Software/Microsoft/MSNMessenger
Registry: MSN messenger
Many applications keep a list of our Most Recently Used (MRU) files
Registry location and format varies greatly between applications
So, search the registry for the following keywords:• MRU
• LRU
• Recent
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 42
Always Search for MRU
8
Applications tend to…
• read all the entries, re-sort them and then rewrite them all
• so date-stamps will often all be the same as the most recent file
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 43
Always Search for MRU
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 44
HKEY_USERS\UserSID\Software\Microsoft\
Windows\CurrentVersion\Explorer\RecentDoc
Always Search for MRU
Windows also keeps a MRU on files
These are the files you double-click on using explorer (the front-end GUI of Windows)
It maintains a list for every extension!
Windows uses an window called “Common Dialog” for selecting a file to open/save
This is window that pop-ups, for instance, when you click “save” in Word
This tool remembers up to the last 26 files for every file type you use• naturally, this is in the registry
• stored in REG_BINARY format
• registry format changed in Windows 7 and 10
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 45
More MRU Information
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 46
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\ComDlg32
MRU In Windows 7
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 47
HKEY_CURRENT_USER/Software/
Microsoft/Windows/CurrentVersion/Explorer/ComDlg32
MRU In Windows 7
Some obtainable evidence
• IE auto logon and password
• IE search terms
• IE settings
• Typed URLs
• Auto-complete passwords
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 48
Registry: Internet Explorer
9
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 49
HKEY_CURRENT_USER
/Software/Microsoft/Internet Explorer/TypedURLs
Registry: Internet Explorer:Typed URLs
IntelliForm is a built-in feature of Windows
utilized by Internet Explorer
Also called “auto complete”
Allows Windows to remember fields on web
page forms
Stored in the registry under Protected
Storage System Provider
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 50
Registry: IntelliForm
Protected Storage System Provider
• only visible to the “system” account
• located in NTUSER.DAT
• \Software\Microsoft\Protected Storage System Provider
Various tools will reveal contents
• AccessData Registry Viewer
• Windows Secret Explorer
• Cain & Abel
• Protected Storage PassView
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 51
Protected Storage System Provider
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 52
HKEY_CURRENT_USER\Software\
Microsoft\Protected Storage System Provider
Protected Storage System Provider
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 53
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\App Paths
Installed Software
You can find both software that is currently installed a system
Keys are usually created with installation
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 54
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Uninstal
Uninstalled Software
You can also determine if software was uninstalled
Keys are usually created with installation are often not deleted
10
Windows keeps track of the last user to log
into the system
You can use this:
• to determine who was on the computer last
• when this was – using Registry time stamps (should be consistent with other time stamps)
• … if they logged into Windows – a suspect may
have used a boot disk
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 55
Last Login
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 56
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\WinLogon
Last Login
Device
History
Yes, the Registry stores that too!
Applications can “talk” to
devices assigned volume letters such as: C:, D:, etc…
Letter is actually mapped to a piece of hardware
e.g. hard drive, CD-ROM,
USB drive, etc…
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 58
Registry: Mounted Devices
The registry contains this information and
how each letter maps to a device
So, for instance, when Microsoft Word, wants to save something to E:
• Windows looks up the letter in the Registry
• and sends it to the correct device
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 59
Registry: Mounted Devices
Windows, records all mounted devices
using a Globally Unique Identifiers (GUID)
These are hash values created by Windows
and used for almost everything
Why use them for devices?
• applications may want to talk to a specific device regardless of its letter.
• also, letters can be changed.
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 60
Globally Unique Identifiers
11
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 61
HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\MountedDevices
Registry: Mounted Devices
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 62
HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\MountedDevices
Registry: Mounted Devices
Windows PnP (plug and play) is notified by the port
Windows asks the device for its name, serial value, etc…
Windows then creates a unique value of the device, locates the correct driver, and updates the registry
This process is also saved in the SetupAPILog file
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 63
When a USB Device is Plugged in….
Registry also records all USB devices that
have ever been connected to the computer
This information is enumerated in its own
location in the Registry
Using time-stamps, you can tell when a
suspect USB Drive was connected
This can be used to verify timelines or show
evidence of data theft
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 64
Registry: USB Devices
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 65
HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\Enum\USBSTOR
Registry: USB Device History
You can map information in "USBStor" with "MountedDevices" to find what drive letter was used
It can be a tad complicated….• fortunately, there are many tools, like
USBDeview, that can interpret the data for you and give nice reports
• however, you must understand the format for verifying these tools accuracy in Court
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 66
Registry: USB Devices
12
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 67
USBDeviewDate!
7/23/2018 Sacramento State - Cook - CSc 116 - Summer 2018 68