Component of Windows operating systems (OS)
Every time new hardware is installed, user preferences are changed, or software
is installed, this information is stored in the registry.
What can WINDOWS REGISTRY tell us?
- Usernames and passwords for programs, email and Internet sites
- A history of Internet sites accessed, including date and time
- A record of Internet queries
- Lists of recently opened/saved/accessed files (ex. documents and images)
- A list of all programs installed on the system
- When new hardware is installed, user preferences are changed, or software is installed, information is stored in the registry
STRUCTURE OF THE REGISTRY
- ROOT KEY: 5 main root keys (hives) in the Registry database. Each root contains a collection of keys, subkeys and values (hint HKEY)
- KEYS: Each root key contains one or more keys. Keys that reside within other keys are referred to as subkeys.
- VALUE ENTRY: The value is the object that contains the actual data.
The Windows Registry consists of six root keys, each of which contains data that is both user and hardware specific.
HKEY_CLASSES_ROOT (HKCR):File name extension associations that tell the operating system what to do when a certain file type is opened
HKEY_CURRENT_USER (HKU) :Information for user currently logged into the system, such as network connections, printers, desktop settings
HKEY_CLASSES_ROOT (HKCR):File name extension associations that tell the operating system what to do when a certain file type is opened
HKEY_LOCAL_MACHINE (HKLM) :System-wide information (affecting every user): hardware and software configurations, boot settings and security related information
HKEY_USERS (HKCU) :User-specific information for all currently active users on the system, such as mapped drives, installed printers, and desktop settings.
HKEY_CURRENT_CONFIG (HKCC) :Information concerning the current hardware configuration; is actually a shortcut to system information contained within subkeys in HKEY LOCAL MACHINE
HIVES
The Windows OS stores the registry in files known as “hives.” Multiple hives exist and each contains certain hive bins (hbin) with registry keys, subkeys, and values.
Most of the supporting files for the hives are within the C:\WINDOWS\System32\Config directory (only Ntuser is not).
Registry keys and Hive files
HKEY_CURRENT_CONFIG :System, System.alt, System.log, System.sav
HKEY_CURRENT_USER: Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM : Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security :Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software :Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System :System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT :Default, Default.log, Default.sav
Extension:
None = Hive file
.alt = Backup of the hive file
.log = Transaction log of changes to a hive
.sav = Copy of the file made during Windows setup
HIVES STRUCUTRE
HIVES STRUCUTRE
The base block includes global information about the hive, including a file signature “regf” that identifies the file as a hive, updated sequence numbers, a time stamp that shows the last time a write operation was initiated on the hive, information on registry repair or recovery performed by Winload, the hive format version number, a checksum, and the hive file’s internal file name. A bin is the size of the new cell rounded up to the next block or page boundary, whichever is higher. The system considers any space between the end of the cell and the end of the bin to be freespace that it can allocate to other cells. Bins also have headers that contain a file signature “hbin” and a field that records the offset into the hive file of the bin and the bin’s size.
**Portions of the Windows Registry are “volatile” and do not exist on disk when the system is shut down** Thus, there may be valuable data that does not exist within an acquired image and must be collected while the system is still running!!
EXAMPLES OF VOLATILE REGISTRY DATA
HKEY_CURRENT_USER hive: When you shut your system down and analyze an acquired image, you won't find this hive. That's because this hive is populated by using the information of the user who's logged into the system.
HKEY_LOCAL_MACHIN/hardware key and subkeys: Stores information regarding the device connected to the system (example include mouse, keyboard, hard drive, etc..) and this information is populated when the system boots up.
EXAMPLES OF VOLATILE REGISTRY DATA
HKEY_CURRENT_USER hive: When you shut your system down and analyze an acquired image, you won't find this hive. That's because this hive is populated by using the information of the user who's logged into the system.
HKEY_LOCAL_MACHIN/hardware key and subkeys: Stores information regarding the device connected to the system (example include mouse, keyboard, hard drive, etc..) and this information is populated when the system boots up.
Question: Can you search for the file HKEY_CURRENT_USER on a suspect’s
hard drive?
Answer: No, because these registry keys exist only while Windows is running.
**Be aware that with each version of Windows, there are some changes to what information
can be found in the Registry, where the information can be found and in what format.**
can be found in the Registry, where the information can be found and in what format.**
On Windows 2000 and XP systems, the registry information is primarily stored in
the following files: SAM, SYSTEM, SECURITY, SOFTWARE, and NTUSER.DAT.
On Windows 7, the registry information is stored in the following files: SAM, SECURITY,
SOFTWARE, SYSTEM, NTSUER.DAT, DEFAULT, and UsrClass.dat.
On Windows 8, the registry information is stored in the following files: SAM, SECURITY,
SOFTWARE, SYSTEM, NTSUER.DAT, DEFAULT, UsrClass.dat, settings.dat, ELAM, BBI, DRIVERS, Components, BCD Template.
How do you get to the Windows Registry?
Most of the time you will use a commercial forensic analysis application to interact
with the Registry
Main core system Registry hive files can be found in the Windows\system32\config
Directory
Start -> Run -> Type “Regedit”
the following files: SAM, SYSTEM, SECURITY, SOFTWARE, and NTUSER.DAT.
On Windows 7, the registry information is stored in the following files: SAM, SECURITY,
SOFTWARE, SYSTEM, NTSUER.DAT, DEFAULT, and UsrClass.dat.
On Windows 8, the registry information is stored in the following files: SAM, SECURITY,
SOFTWARE, SYSTEM, NTSUER.DAT, DEFAULT, UsrClass.dat, settings.dat, ELAM, BBI, DRIVERS, Components, BCD Template.
How do you get to the Windows Registry?
Most of the time you will use a commercial forensic analysis application to interact
with the Registry
Main core system Registry hive files can be found in the Windows\system32\config
Directory
Start -> Run -> Type “Regedit”
ANALYZING THE REGISTRY HIVES
1. Extract the hives from your disk image
Ex. Use FTK Imager to mount your disk image and copy the hive
files to your machine for analysis.
2. Use a registry parsing tool to extract relevant information from the hives
Ex. RegRipper tool (most popular)
-Also Registry Decoder, Access Data FTK, Guidance Encase, Python-Registry
RegRipper isn’t simply a registry viewer, but uses plug-ins to extract information from different
keys and then translate that information into something that is readable.
What information can the registry provide?
1-Time: Timezone and daylight savings information is stored
2-Autorun locations: Often used by intruders to ensure their malware functions
after a system reboot
3-Most Recently Used (MRU) lists: List of programs and documents that were last
opened/saved/accessed by the system or user.
4-Wireless Networks: WAPs can be identified by their SSID and their MAC addresses
which is recorded within the registry.
5-Insertion of Devices: Info for insertion of devices, such as USB keys, are stored within
the registry.
6-Last Write Time (LWT): LWT is updated when a Key is created, modified, or accessed. Only the LWT of a Key can be obtained, not the LWT for a particular value. Knowing the LWT of a Key can infer the approximate date or time an event occurred.
