registry analysis using regedit.exe –system information –autostart locations –usb removable...
Post on 19-Dec-2015
229 views
TRANSCRIPT
Registry Analysis
• Using regedit.exe– System Information– Autostart locations– USB Removable Storage Devices– Mounted Devices– Finding Users– User Activity– Restore Points
System Information
• Located in the Current Control Set
• If the systemm is not active must find the Control Set that was current
• Time zone
• Shares
• Audit policy
• Wireless SSIDs
Current Control Set• CurrentControlSet is a volatile portion of the Registry
• Which of the 2 or more Control Sets are Current
• The following indicate that #1 is current
Time Zone Information
• SYSTEM\ControlSet001\Control\TimeZoneInformation
Computer Name
HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName
Shutdown TimeHKLM\SYSTEM\CurrentControlSet\Control\WindowsHKLM\SYSTEM\ControlSet001\Control\Windows
Time is measured in the number of 100-nanosecond intervals since 1 January 1601.
Shares
• Windows 2K, XP, 2003, and Vista create a number of administrative shares– IPC$ - IPC share– ADMIN$ - shares that refer to the root of dirves
C$, D$, etc.
• User enabled shares show up in
HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares
Wireless SSIDs
• XP Laptops maintain a list of service set IDs
• The GUID is associated with the wireless interface
• Under the Static#000x lists all of the SSIDs connected
SSIDsA different Static#000x for each SSID ever connected to.
SSID Registry Entry
At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian.“0b 00 00 00” = 0x 00 00 00 0b = 1110
SSID Length SSID
Autostarts
• Applications that are launched without any interaction from the user
• Often at boot time
• Occasionally upon launch of a app.
Autostart Locations
• Auto-start extensibility points (ASEPs)
• Registry locations• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• And elsewhere
• All over the place
Autostart Locations• Start -> run -> msconfig
• Lists some of the acknowledge startups
Startup Locations
Other Startup Locations
• System boot
• User Login
• User Activity
• See Carvey’s Ch4 spreadsheet for more locations
System boot
• Startup services at boot time are contained in
• HKLM\SYSTEM\CurrentControlSet\Services
• The services are enumerated with parameters
• Should be sorted by LastWriteTime
• Only possible in FTK or ProDiscover
ControlSet\Services
Boot Time AppsStart value = 2, the app starts on boot time. Star value != 2 starts on user logon
Evil Start Time Services
• Generally LastWrite times should be about the same time the system was built.
• Later dates would suggest that an intruder of sysadmin was altering the boot time sequence
User Login
• Startup Keys are parsed in order when a user logs in:1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run
4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run
5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run
6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce
• The run keys are ignored if started in Safe Mode
#3 On the Startup List
User Activity
• On user action certain registry keys are accessed
• Keys for other Classes of files control what happens when that file is opened
• Or when the file is double-clicked
Example
• Go to:HKLM\Software\Microsoft\CommandProcessor\AutoRun
Right click on AutoRun
Select Modify
Enter sol.exe in the Value data: field.
Start -> run -> cmd.exe
• This is the how one can modify application behavior
• Used by much malware to launch backdoors or an IRCbot
AutoRuns from Sysinternals
Hijacked App
USB Devices
• Tracking USB devices• When mounted on Windows they leave
• Footprints in the Registry
• Artifacts in the setupapi.log file
• The PnP Manager queries the device descriptor• Located in the thumb drive’s firmware
• Log updated
• Creates a Registry Key inHKLM\System\CurrentControlSet\Enum\USBSTOR
USBSTOR Key
Device Held IDCdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61
Manufacturer Model Version
Device class IDUnique Instance IDSerial Number
System Created KeyDisk&Ven_JMTek&Prod_USBDrive&Rev_7.77
Manufacturer Model Version
Device class ID
Unique Instance IDNo Serial NumberMade up by system
Device Information
• HKLM\SYSTEM\MountedDevices
• List of recently Mounted Devices• Look down the list for \DosDevices\
• The REG_BINARY data field should start with5C 00 3F00 3F 00
• To find which device this is right click on the device
• Select Modify
USBSTOREParentIdPrefixUnique Instance ID
Serial Number
USB Devices Tracking
• By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline
• CurrentUser\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
• May give more information
Mounted Devices
Binary Data in \DosDevices\G:
ParentIdPrefix matches the Kingston Traveler in the USBSTORE key
Research Topic
• USB devices• Some USB Devices have a Device ID, others do not
• Some generate a ParentIdPrefix others do not
• Some Correlate to the MountedDevices ID others do not
• Sort it out
• Use references to the the Microsoft Knowledge Base