Mississippi State University Digital Forensics 1
Analysis of the Windows Registry
Alex Applegate
Mississippi State University Digital Forensics 2
Overview
• The Windows Registry • Registry Hives • Registry File Layout • Important Registry Keys • Shellbags
Mississippi State University Digital Forensics 3
The Windows Registry
Not this kind of registry…
Mississippi State University Digital Forensics 4
The Windows Registry
• Tree-style database used by almost every part of the Windows operating system – Hive
• Keys – Key Value or Subkey
» Subkey Value – Each hive may have its own file in the file
system – Some hives only exist in system memory
Mississippi State University Digital Forensics 5
Registry Hives
• Not this kind of hive…
Mississippi State University Digital Forensics 6
Registry Hives
• %SystemRoot%\System32\Config – System registry area – Is a directory that contains multiple files
• %UserProfile%\NTUSER.dat – User registry file
• Most Common Hives – HKEY_CLASSES_ROOT – HKEY_CURRENT_USER – HKEY_LOCAL_MACHINE
Mississippi State University Digital Forensics 7
System Hive Files in Windows Explorer
Mississippi State University Digital Forensics 8
User Hive in Windows Explorer
Mississippi State University Digital Forensics 9
Hives in Regedit
Mississippi State University Digital Forensics 10
Registry File Layout
• Official format never released by Microsoft • Each hive is broken into 4096-byte blocks • First block in a hive is always a “base
block” • Data is represented in “cells”
– A field at the beginning of the cell describes whether it is a key, value, subkey list, or subkey
• A “cell index” is the offset of a particular cell inside the hive relative to the first bin
Mississippi State University Digital Forensics 11
Registry File Hive Block
Source: http://www.codeproject.com/Articles/24415/How-to-read-dump-compare-registry-hives
Mississippi State University Digital Forensics 12
Registry File Layout (cont’d)
• The first bin always begins immediately after the base block
• Each hive contains a root cell at the beginning that holds the lists of keys and key values of the top level
• Each key in the registry maintains a list of any subkeys subordinate to it in a subkey list
• All the values for a particular key are maintained in an associated value list
Mississippi State University Digital Forensics 13
Registry Keys
• Not these kinds of keys (is this getting old yet?)
Mississippi State University Digital Forensics 14
Important Registry Keys
• HKCU = HKEY_Current_User, HKLM = HKEY_Local_Machine
• Recently run programs via the Run command – HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
• Typed URLs in Internet Explorer – HKCU\Software\Microsoft\Windows\Internet Explorer\TypedURLs
• Programs That Run at Startup – HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce – HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
\Run – HKLM\Software\Microsoft\Windows\CurrentVersion\Run – HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run – HKCU\Software\Microsoft\Windows\CurrentVersion\Run – HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Mississippi State University Digital Forensics 15
Registry Subkeys and Key Values
Mississippi State University Digital Forensics 16
Shellbags
• Not this kind of shellbag (I don’t think I like this game any more…)
Mississippi State University Digital Forensics 17
Shellbags
• What in the world is a “shellbag”? – SANS describes shellbags this way:
• “Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer. Everything from visible columns to display mode (icons, details, list, etc.) to sort order are tracked. If you have ever made changes to a folder and returned to that folder to find your new preferences intact, then you have seen Shellbags in action. In the paper Using shellbag information to reconstruct user activities, the authors write that "Shellbag information is available only for folders that have been opened and closed in Windows Explorer at least once" [1]. In other words, the simple existence of a Shellbag sub-key for a given directory indicates that the specific user account once visited that folder. Thanks to the wonders of Windows Registry last write timestamps, we can also identify when that folder was first visited or last updated (and correlate with the embedded folder MAC times also stored by the key). In some cases, historical file listings are available. Given much of this information can only be found within Shellbag keys, it is little wonder why it has become a fan favorite.”
Mississippi State University Digital Forensics 18
What’s in a Shellbag?
• Filtering through the mess above: – GUI folder display within Windows Explorer – Visible columns – Display mode (icons, details, list, etc.) – Sort order – Saved changes to a folder – An indication that a specific user account once visited a folder – When a folder was first visited or last updated (and correlate
with the embedded folder MAC times also stored by the key). – Historical file listings (sometimes)
Mississippi State University Digital Forensics 19
Common Shellbags
• Pre-Windows 7 – HKEY_USERS\<USERID>\Software\Microsoft\Windows\Shell – HKEY_USERS\<USERID>\Software\Microsoft\Windows\ShellNoRoam – HKEY_USERS\<USERID>\Software\Microsoft\Windows\StreamsMRU
• Windows 7 (and presumably later) – USRCLASS.DAT\Local Settings\Software\Microsoft
\Windows\Shell\BagMRU – USRCLASS.DAT\Local Settings\Software\Microsoft
\Windows\Shell\Bags – NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU – NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Mississippi State University Digital Forensics 20
Summary
Mississippi State University Digital Forensics 21
Summary
• The Windows Registry • Registry Hives • Registry File Layout • Important Registry Keys • Shellbags
Mississippi State University Digital Forensics 22
Analysis of the Windows Registry
QUESTIONS?