Registry Analysis using FRED in Linux Ubuntu 12.04 

 

Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+

The Windows registry is used by the operating system to store information about

its configuration, its users, applications and much more. It is an excellent source of

evidence for the forensic examiner.

While looking for an open source solution to examine the registry a colleague of

mine recommended the Forensic Registry EDitor (FRED). FRED is a GUI based

registry editor/viewer created by Daniel Gillen with a built in hex viewer and data

interpreter. FRED also has reporting features to provide you with reports for some of

the most popular keys like the “RecentDocs” and the “TypedUrls” keys.

Today we will discuss how to use FRED to navigate the registry and to access

the reporting features of some of the Windows Registry’s most popular keys.

 

 

The goal:  

 

The plan is to use a freshly installed version of Windows 7 in a way that will lead

to our data being added to the registry. We will accomplish this in our own controlled

environment. We will then use FRED to examine our registry. The purpose of creating

our own registry is so that we can determine if FRED is actually providing us with

accurate results.

For the analysis part of the test, I used an examination computer with Ubuntu

12.04 installed on it. 

 

 

Controlled Environment:  

So that we could create our own registry history from scratch, I began by

installing a new Windows 7 Home Premium Operating System on my laptop.  

 

 

 

When it came time to set the time clock, I selected Eastern Standard Time, as I

am currently living in the East Coast of the US. The time zone of the computer is

recorded by the registry under the 

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation key. 

 

 

 

The installation completed and I logged in as user “Carlos”. I gave the laptop an

internet connection and opened the Internet Explorer (IE) Browser. 

IE launched and the “Welcome to IE 8” screen appeared asking me to set it up. I

clicked on the “Ask me Later” button to avoid the set up process. A second Tab

immediately opened, redirecting me to another Microsoft owned website.  

I waited for the second tab to load, and I then typed “www.epyxforensics.com” in

the address bar. This is an action that is recorded in the registry under the

NTUSER.DAT registry hive belonging to user “Carlos”. To be specific, it is recorded

under the

NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs key. 

 

 

 

After visiting www.epyxforensics.com, I launched Windows Explorer and opened

the Penguins.jpg picture located in the “C:\Users\Public\Pictures\Sample Pictures”

folder.

 

Opening the Penguins.jpg picture is another action that is recorded by the

NTUSER.DAT registry hive belonging to user “Carlos”. To be specific, it is recorded

under the 

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key. 

I then closed all windows and shut down the computer. This concludes the

controlled environment part of our test. Let’s move on to the next part.  

 

 

Installing the tools:   

The tool that we will use for the examination is not included in Ubuntu by default.

FRED can be downloaded from the developer’s website

https://www.pinguin.lu/index.php. If you have a 32bit machine, download the i386.deb

packages. You will need two packages, fred and fred-reports. As of the date of this

writing the latest packages are called “fred_0.1.0beta4_i386.deb” and “fred-

reports_0.1.0beta4_i386.deb”. After you have downloaded the appropriate packages,

right click on a package and open it with the Ubuntu Software Center.  

 

 

 

After the Ubuntu Software Center opens, click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install. Repeat the process for the second package.

Now that we have the programs that we need, close the Ubuntu Software Center, and let's move on to the next step.

The Examination: 

For the examination part of the test, I removed the hard drive from the test laptop

and connected it to my Ubuntu examination computer via a USB enclosure.  

I did not write-block the hard drive. If you do not have a write-blocker handy, you

do not have to use one either, just remember to never connect evidence media to a

computer without the use of a previously validated write-blocking procedure. From now

on, we will refer to the hard drive containing the Windows 7 installation as our “Test

Media.”  

Make sure your test media is connected to the computer and open Nautilus.

Nautilus is the file manager for the GNOME desktop environment. You can launch

Nautilus by left clicking on the “folder” looking icon in your taskbar. Nautilus is going to

display your connected devices on the top left side of the window. My test media is the

one that says “250 GB Filesystem”. Click on the name of your test media to mount it (if

it isn't mounted already). By default, Ubuntu mounts its connected devices inside of the

“media” folder. 

Now open a Terminal Window. In Ubuntu you can accomplish this by pressing

Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal.”  

Once the terminal window is open, Type the following into the terminal to

determine which devices are currently mounted in your system.  

df -h 

Notice that my test media was mounted under the “media” folder as

0E86018186016B13. 

We are almost ready to use FRED. FRED can be launched by going to the Dash

Home and typing in “fred” or it can be invoked from the command line. Invoking it from

the command line is a bit faster, so that's what we will do. Let's use FRED to examine

the SYSTEM hive and check the TimeZone setting. To do this we need go to the

directory where the SYSTEM hive is located on the test media. On a Windows 7

operating system the SYSTEM hive is at: /Windows/System32/config/.  

We will use the CD command to change directory into the config folder. Type the

following into the terminal. 

cd /media/0E86018186016B13/Windows/System32/config/ 

Replace “0E86018186016B13” with the directory assigned to your test media.

After doing so, press enter.

The dollar sign after config indicates that “config” is your current directory, exactly

what we wanted.

Now it's time to call FRED. Type the below command into the terminal and press

enter. This command will point FRED to the SYSTEM hive and will cause FRED's

graphical user interface to open and display the contents of the SYSTEM hive.

fred SYSTEM 

Navigate the hive's directory structure to determine the TimeZone setting:

SYSTEM\CurrentControlSet\Control\TimeZoneInformation.  

Now let's use FRED to examine the NTUSER.DAT hive to check for TypedURL’s

and Recent Docs. To do this we need to go to the directory where the user’s

NTUSER.DAT hive is located on the test media. On a Windows 7 operating system the

user's NTUSER.DAT hive is located at: /Users/<<user>>/  

We will use the CD command to change directory into the <<user>> folder. Type

the following into the terminal. 

cd /media/0E86018186016B13/Users/Carlos/ 

Replace “0E86018186016B13” with the directory assigned to your test media and

replace “Carlos” with the user name of the subject in your test or investigation. After

doing so, press enter.

Lets call FRED again. Type the below command into the terminal and press

enter.

fred NTUSER.DAT

This time we will use the built-in reporting features to determine the TypedURLs.

Mouse over to the reports tab and select “NTUSER”, “TypedUrls.”

This is the report.

Do the same for “Recent Documents”.

You can copy the data from the reports to txt files or print the reports to PDF.

And there you have it.

Conclusion:

FRED is a free and easy to use registry browser that can quickly provide you with

the information that your investigation calls for.

If this procedure worked for your case, and you are able to use it in the course of

your investigation, we would like to hear from you. E-mail the author of this article at

carlos@epyxforensics.com.