analysis of the windows...

Mississippi State University Digital Forensics 1

Analysis of the Windows Registry

Alex Applegate

Mississippi State University Digital Forensics 2

Overview

•  The Windows Registry •  Registry Hives •  Registry File Layout •  Important Registry Keys •  Shellbags

Mississippi State University Digital Forensics 3

The Windows Registry

Not this kind of registry…

Mississippi State University Digital Forensics 4

The Windows Registry

•  Tree-style database used by almost every part of the Windows operating system –  Hive

•  Keys – Key Value or Subkey

» Subkey Value –  Each hive may have its own file in the file

system –  Some hives only exist in system memory

Mississippi State University Digital Forensics 5

Registry Hives

•  Not this kind of hive…

Mississippi State University Digital Forensics 6

Registry Hives

•  %SystemRoot%\System32\Config –  System registry area –  Is a directory that contains multiple files

•  %UserProfile%\NTUSER.dat –  User registry file

•  Most Common Hives –  HKEY_CLASSES_ROOT –  HKEY_CURRENT_USER –  HKEY_LOCAL_MACHINE

Mississippi State University Digital Forensics 7

System Hive Files in Windows Explorer

Mississippi State University Digital Forensics 8

User Hive in Windows Explorer

Mississippi State University Digital Forensics 9

Hives in Regedit

Mississippi State University Digital Forensics 10

Registry File Layout

•  Official format never released by Microsoft •  Each hive is broken into 4096-byte blocks •  First block in a hive is always a “base

block” •  Data is represented in “cells”

–  A field at the beginning of the cell describes whether it is a key, value, subkey list, or subkey

•  A “cell index” is the offset of a particular cell inside the hive relative to the first bin

Mississippi State University Digital Forensics 11

Registry File Hive Block

Source: http://www.codeproject.com/Articles/24415/How-to-read-dump-compare-registry-hives

Mississippi State University Digital Forensics 12

Registry File Layout (cont’d)

•  The first bin always begins immediately after the base block

•  Each hive contains a root cell at the beginning that holds the lists of keys and key values of the top level

•  Each key in the registry maintains a list of any subkeys subordinate to it in a subkey list

•  All the values for a particular key are maintained in an associated value list

Mississippi State University Digital Forensics 13

Registry Keys

•  Not these kinds of keys (is this getting old yet?)

Mississippi State University Digital Forensics 14

Important Registry Keys

•  HKCU = HKEY_Current_User, HKLM = HKEY_Local_Machine

•  Recently run programs via the Run command –  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

•  Typed URLs in Internet Explorer –  HKCU\Software\Microsoft\Windows\Internet Explorer\TypedURLs

•  Programs That Run at Startup –  HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce –  HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer

\Run –  HKLM\Software\Microsoft\Windows\CurrentVersion\Run –  HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run –  HKCU\Software\Microsoft\Windows\CurrentVersion\Run –  HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Mississippi State University Digital Forensics 15

Registry Subkeys and Key Values

Mississippi State University Digital Forensics 16

Shellbags

•  Not this kind of shellbag (I don’t think I like this game any more…)

Mississippi State University Digital Forensics 17

Shellbags

•  What in the world is a “shellbag”? –  SANS describes shellbags this way:

•  “Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer. Everything from visible columns to display mode (icons, details, list, etc.) to sort order are tracked. If you have ever made changes to a folder and returned to that folder to find your new preferences intact, then you have seen Shellbags in action. In the paper Using shellbag information to reconstruct user activities, the authors write that "Shellbag information is available only for folders that have been opened and closed in Windows Explorer at least once" [1]. In other words, the simple existence of a Shellbag sub-key for a given directory indicates that the specific user account once visited that folder. Thanks to the wonders of Windows Registry last write timestamps, we can also identify when that folder was first visited or last updated (and correlate with the embedded folder MAC times also stored by the key). In some cases, historical file listings are available. Given much of this information can only be found within Shellbag keys, it is little wonder why it has become a fan favorite.”

Mississippi State University Digital Forensics 18

What’s in a Shellbag?

•  Filtering through the mess above: –  GUI folder display within Windows Explorer –  Visible columns –  Display mode (icons, details, list, etc.) –  Sort order –  Saved changes to a folder –  An indication that a specific user account once visited a folder –  When a folder was first visited or last updated (and correlate

with the embedded folder MAC times also stored by the key). –  Historical file listings (sometimes)

Mississippi State University Digital Forensics 19

Common Shellbags

•  Pre-Windows 7 –  HKEY_USERS\<USERID>\Software\Microsoft\Windows\Shell –  HKEY_USERS\<USERID>\Software\Microsoft\Windows\ShellNoRoam –  HKEY_USERS\<USERID>\Software\Microsoft\Windows\StreamsMRU

•  Windows 7 (and presumably later) –  USRCLASS.DAT\Local Settings\Software\Microsoft

\Windows\Shell\BagMRU –  USRCLASS.DAT\Local Settings\Software\Microsoft

\Windows\Shell\Bags –  NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU –  NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Mississippi State University Digital Forensics 20

Summary

Mississippi State University Digital Forensics 21

Summary

•  The Windows Registry •  Registry Hives •  Registry File Layout •  Important Registry Keys •  Shellbags

Mississippi State University Digital Forensics 22

Analysis of the Windows Registry

QUESTIONS?