Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014
Registry Artifacts
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
REGISTRY• The registry is a “central hierarchal database” intended to store
information that is necessary to configure the system for one or more users, applications, and hardware devices.[1]
• Goldmine for digital forensics. • Registry Breakdown
• Hives (binary database files) • Keys & Subkeys (analogous to a folders) • Values (analogous to a file) • Type (strings, binary or DWORD) • Data
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
REGISTRY HIVES• SAM
– Local user accounts & groups • Security
– Security information used by the operating system to include password policies, group memberships, etc.
• System – Hardware and service configurations
• Software – Application settings
• NTUSER.dat – User settings, configuration and environment settings
• UsrClass.dat – More widely used in Vista/7/8 – Shellbag Information
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
`• System Registry Hives
• User Specific Registry Hives
• Backup System Registry Hives
XP/Vista/7/8 C:\Windows\System32\config\SAM
XP/Vista/7/8 C:\Windows\System32\config\SECURITY
XP/Vista/7/8 C:\Windows\System32\config\SYSTEM
XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE
XP C:\Documents and Settings\<USERNAME>\NTUSER.dat
Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat
Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat
Vista/7/8 C:\Windows\System32\config\RegBack
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
REGISTRY VALUE TYPES
REG_NONE No Value
REG_SZ Unicode or ASCII String
REG_BINARY Binary Data
REG_DWORD 32-bit Number
REG_LINK Unicode Symbolic Link
REG_QWORD 64-bit Number
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
VIEWING REGISTRY HIVES• Live System Analysis - regedit.exe
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
VIEWING REGISTRY HIVES• Offline Analysis - AccessData Registry Viewer
• http://accessdata.com/product-download/digital-forensics/registry-viewer-1-8-0-5
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
VIEWING REGISTRY HIVES• Offline Analysis - MiTeC Windows Registry Recovery (WRR)
• http://www.mitec.cz/wrr.html
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EXTRACTING REGISTRY HIVES
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EXTRACTING REGISTRY HIVES
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
LAST WRITE TIME• Last Write Time is recorded for each key in every hive. • Time is stored in UTC. • Time stamp reflects when a value has been added or updated.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SECURITY ACCOUNTS MANAGER (SAM)
• Security Identifier (SID) • Recycle Bin entries, file ownership and other artifacts refer to
a SID and not a username. • Microsoft Documented SID Accounts • Administrator = 500 • Guest = 501 • User Account = start at 1000
• Password fields can be misleading • Password Required = password policies applied to user
accounts do not apply to this account • We will work with a much better tool to determine if a
password was set for this account in the Encryption/Password lecture!
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SAM Hive
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SAM Hive
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SAM Hive
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
PROFILE LIST
• Details all profiles that have used the system to include local and domain users. • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
PROFILE LIST
• Details all profiles that have used the system to include local and domain users. • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Current Control Set • SYSTEM\Select\Current • Answers the following questions:
• Which configuration files should be loaded? • If an error is detected, which configuration files should be tried next? • Which configuration files reported errors?
SYSTEM HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Computer Name: – SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
• Time Zone: – SYSTEM\CurrentControlSet\Control\TimeZoneInformation
• Last Access Timestamp: – SYSTEM\CurrentControlSet\Control\FileSystem
SYSTEM HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Network Interfaces: – SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
SYSTEM HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• User Shares Enable: – SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
• System Shutdown Timestamps and Counters (XP): – SYSTEM\CurrentControlSet\Control\Windows – SYSTEM\CurrentControlSet\Control\Watchdog\Display
SYSTEM HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Operating System Version: – SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Historical Networks (Vista/7/8): – Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures
\Managed – DnsSuffix = Domain – FirstNetwork = SSID – DefaultGatewayMac = Media Access Control (MAC) Address of Gateway – Last Written Time = Last time the computer connected to this network.
SOFTWARE HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Historical Networks (Vista/7/8): – Not Managed by a Domain
– SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
SOFTWARE HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Network Type: – SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} (XP) – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
\Profiles (Vista/7/8) » NameType 0x47 = Wireless » NameType 0x06 = Wired » NameType 0x17 = Broadband » Date fields are recorded as 128-bit System date …. use Dcode
to convert.
SOFTWARE HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Various Registry Locations: – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\Run – SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run – SYSTEM\CurrentControlSet\Services
• (0x02 = start)
AUTO-START PROGRAMS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Windows XP Search History – NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru
• Windows 7 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
\WordWheelQuery
• Windows 8 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
\SearchHistory • Windows 8.1 Search History (http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html)
– \Users\<USER>\AppData\Local\Microsoft\Windows\ConnectedSearch\History
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Internet Explorer Typed URLs – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
\TypedPaths
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Recently Accessed Files – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
\RecentDocs – MRUList shows the order in which the files were accessed.
– The most recent file opened will be first.
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Microsoft Office Recent Documents • NTUSER.DAT\Software\Microsoft\Office\14.0\Word\FileMRU • NTUSER.DAT\Software\Microsoft\Office\14.0\Excel\FileMRU • NTUSER.DAT\Software\Microsoft\Office\14.0\Powerpoint\FileMRU
• Office XP - Version 10.0 • Office 2003 - Version 11.0 • Office 2007 - Version 12.0 • Office 2010 - Version 14.0
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Common Dialogs API (ComDlg32) • Open and Save As APIs
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU (XP)
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidMRU (Vista/7/8)
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Common Dialogs API (ComDlg32) • Last Visited - records specific executable used to open the files along with the
directory that was last accessed. • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
\ComDlg32\LastVisitedMRU (XP) • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
\ComDlg32\LastVisitedPidMRU (Vista/7/8)
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Commands Executed from the Run Box • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
\RunMRU • MRU List provides the order in which the commands were executed.
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• UserAssit • Records what application(s) a user has run, when and how many
times: – NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
\UserAssist\{GUID}\Count
• Valuable resource to determine user activity and technical knowledge. • Values are encoded using a simple substation cipher (ROT13). • Run count starts a 6(?) …. some viewers will automatically adjust this
value so it is important to know what your tool is doing • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} = Executable File • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} = Shortcut File
Execution
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• UserAssit • Win XP/Vista
• All values begin with • UEME_RUNPATH
• Launched from the Absolute Path • UEME_RUNCPL
• Launched from the Control Panel Applet • UEME_RUNPIDL
• Launched from a Shortcut • UEME_UIQCUT
• Launched from the Quick Launch Menu • UEME_UISCUT
• Launched from a Desktop Shortcut • UEME_UITTOOLBAR
• Launched from the Windows Explorer Toolbar
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• UserAssit • Win 7/8
• http://www.aldeid.com/wiki/Windows-userassist-keys#Translation_of_directories
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• MUICache • Multi-language User Interface
• One more location to see if a program was executed even if the program was uninstalled.
• Timestamps are not recorded as each program is a value. • Win XP
• NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\MUICache
• Win 7/8 • USRCLASS.DAT\Local Settings\Software\Microsoft
\Windows\Shell\MuiCache • Consider processing Volume Shadow Copies (VSC)
NTUSER.DAT HIVE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• https://code.google.com/p/regripper/wiki/RegRipper
RegRipper
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
RegRipper
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
RegRipper Plugins• List All Plugins
• rip -l
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
RegRipper Plugins
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• USB devices are commonly used to transferring data. • Determine how the user is using the system • Identify other devices that may be important to the investigation • Determine the first time a USB drive was connected to the
system. • Determine the last time a USB drive was connected to the
system. • Artifact Locations:
USB FORENSICS
XP/Vista/7/8 C:\Windows\System32\config\SYSTEM
XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE
XP C:\Documents and Settings\<USERNAME>\NTUSER.dat
Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat
XP C:\Windows\setupapi.log
Vista/7/8 C:\Windows\inf\setupapi.dev.log
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Device’s serial number • SYSTEM\CurrentControlSet\Enum\USBSTOR
– Vendors “should” manufacture USB devices with unique serial numbers. – Not all devices comply with the standard
– Devices that do not have a unique serial number will have an “&” as the 2nd character.
– “Last Written Date” is the first time the device was connected to the system since the last reboot.
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Device’s Volume Name (Windows 7/8) • SOFTWARE\Microsoft\Windows Portable Devices\Device
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Device’s Mapped Drive Letter (Windows XP/7/8) • SYSTEM\MountedDevices
• Windows XP uses the device’s ParentIdPrefix
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Determine which user used the USB device (Windows 7/8) • SYSTEM\USBSTOR\<DEVICE>\<Serial#>\Device
Parameters\Partmgr
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Determine which user used the USB device 2 (Windows 7/8) • SYSTEM\MountedDevices
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Determine which user used the USB device (Windows 7/8) • NTUSER.DAT\Software\Microsoft\Windows
\CurrentVersion\Explorer\Mountpoints2
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• When was the USB device first used? (Windows 7/8) • C:\Windows\inf\setupapi.dev.log
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• When was the USB device last used? (Windows 7/8) • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion
\Explorer\MountPoints\{GUID} • Key’s Last Write Timestamp
USB FORENSICS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
USB FORENSICS - AUTOMATED• USBDeviceForensics
• http://www.woanware.co.uk/forensics/usbdeviceforensics.html
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
USB FORENSICS - AUTOMATED
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• Store user specific preferences for Windows Explorer. • Shows browsing habits and knowledge of content by a user. • Uncover evidence of a deleted folder structure.
• Registry Location:
• The following changes will cause a ShellBag key to be updates: • Window Size • View Options • Viewing File in Thumbnail Format • Sorting Options
SHELL BAGS
XP/Vista/7/8 USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
XP/Vista/7/8 USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsMRU
XP/Vista/7/8 NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
XP/Vista/7/8 NTUSER.DAT\Software\Microsoft\Windows\Shell\Bag
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SHELL BAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EXTRACTING SHELLBAGS• sbag.exe
• Download - https://www.tzworks.net/download_links.php • Info - https://www.tzworks.net/prototype_page.php?
proto_id=14
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EXTRACTING SHELLBAGS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EXTRACTING SHELLBAGS