WINDOWS XP REGISTRY:
Windows stores configuration data in registry. The registry is a hierarchical database, which you can describe it as s configuration database. Configuration database is the data which makes the operating system work. The registry is introduced to replace most text-based configuration files used in earlier versions of Windows operating systems, such as .ini files, autoexec.bat and config.sys files. The registry contains most of Windows XP’s settings for all the hardware, operating system software, non-operating system software, users, etc. Whenever a user makes changes to Control Panel settings, system policies, or installed software, the changes are reflected and stored in registry.
STRUCTURE OF WINDOWS REGISTRY:
The default Windows Registry Editor can be opened by typing regedit in the RUN window.
The registry can be seen as one unified “file system”. The left hand pane (also known as the Key Pane) an organized listing of what appear to be folders. The five most hierarchal folders are called “hives” and begin with “HKEY” (an abbreviation for Handle to a key). Although five hives can be seen, only two of these are actually “real”, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts of two branches within one of the two hives. Each of these five hives is composed of keys, which contain values and subkeys.
Keys: Registry keys are similar to folders – in addition to values; each key can contain subkeys, which may contain further subkeys, and so on. Keys are referenced with syntax similar to Windows’ path names, using backslashes to indicate levels of Hierarchy. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows.
Values: Values are the names of certain items within a key, which uniquely identify specific values pertaining to the operating system, or to applications that depend upon that value.
Type: Each value’s type determines the type of data that it contains. It is like the file extension in Windows Explorer.
Data: Each value can be empty or null or can contain data. The data usually corresponds to the type, except that binary values can contain strings or anything else for the matter.
ROOT KEY FUNCTIONS:
Below are listed the five hierarchal hives seen in the above figure, with very basic description of the each.
1. HKEY_CLASSES_ROOT (HKCR) : HKCR contains two types of settings. The first is the file associations that associate different types of files with the programs that can open, print, and edit them. The second is class registrations for Component Object Model (COM – which is a Microsoft centric interface standard for software componentry) objects. This root key enables you to change a lot of the operating system’s behavior.
2. HKEY_CURRENT_USER (HKCU) :HKCU contains the console user’s per-user settings. This root key is a link to HKU\SID, where SID in the console user’s security identifier. This branch includes environment variables, desktop settings, network configurations, printers, and application preferences.
3. HKEY_LOCAL_MACHINE (HKLM): HKLM contains machine hardware-specific information that the operating system runs on. It includes a list of drives mounted on the system and generic configuration of installed hardware and applications.
4. HKEY_USERS (HKU) : HKU contains configuration of all user profiles on the system, which concerns application configuration, and visual setting.
5. HKEY_CURRENT_CONFIG (HKCC): HKCC stores information about the systems current configuration. It’s a link to HKLM\Config\profile.
IMPORTANCE OF REGISTRY ANALYSIS:
The registry is the heart and soul of the Microsoft Windows XP operating system and an exponential amount of information can be derived from it. Due to vast amount of information stored in Windows registry, the registry can be an excellent source for potential evidential data.
REGISTRY KEYS OF FORENSIC VALUE:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
MRU is the abbreviation for Most-Recently-Used. This Key maintains a list of recently opened or saved files. Files like .txt, .pdf, .jpg, .doc, .ppt, .avi etc. Subkey “*” contains the full file path to the 10 most recently opened/saved files. Other subkey in OpenSaveMRU contains more entries of files which are grouped accordingly to file extension.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
This key correlates to the OpenSaveMRU key to provide extra information. Each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %USERPROFILE%\Recent (My Recent Documents). This key contains local or network files that are recently opened and only the filename in binary is stored. It has similar grouping as the previous OpenSaveMRU key, files are organized according to file extension under respective subkeys.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
This key maintains a list of entries (e.g. full path or commands like cmd, regedit, etc) executed using the Start>Run commands. The MRUlist value maintains a list of alphabets which refer to respective values. The alphabets are arranged according to the order the entries is being added.
HKLM\SYSTEM\CurrentControlSet\Session Manager\Memory Management
This key maintains Windows virtual memory (paging file) configuration. The paging file (i.e. pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown. This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when computer shutdowns. By default, Windows will not clear the paging file. However, suspect may modify this registry value to 1 to signify paging file clearing during system shutdown. Forensic investigator should check this value before shutting down a suspect computer during evidence collection process.
HKCU\Software\Microsoft\Search Assistant\ACMru
This key contains recent search terms using Windows default search. Subkey 5603 contains search terms for finding folder and filenames, while subkey 5604 contains terms for finding words or phrases in a file.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Each subkey in this key represents an installed program in the software in the computer. Each subkey usually contains these two common registry values – DisplayName (program name) and UninstallString (application Uninstall component’s files path, which indirectly refers to application installation path). Other possible useful registry values may exist, which includes information on install date, install source and applications version.
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar. The key will only show links that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs in IE address bar. Websites that are accessed via IE Favorites are not recorded. If suspect clears the URL history using Clear History via Internet Options menu, this key will be completely removed.
HKLM\SYSTEM\MountedDevices
This key makes it possible to view each drive associated with the system. It stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \Dos\Devices\x: value contains information for identifying each volume. This is demonstrated in the figure below, where \DosDevice\F: is a mounted volume and listed as “STORAGE Removable Media”.
Your browser may not support display of this image.
Identification of volume \DosDevice\F:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device’s information is stored in the registry (i.e. thumb drives, cameras etc.). Beneath each of these devices is the Device ID, which is also a serial number. The serial numbers of these devices are a unique value assigned by the manufacturer, much like the MAAC address of a network interface card.
Your browser may not support display of this image.
Contents of USBSTOR key
But not every thumb drive will have a serial number, particularly those that have an “&” symbol for the second character of the Device ID. For example: 6&1543608a&0.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
This key contains two or more subkeys which have long hexadecimal names that appear as Globally Unique Identifiers (GUIDs). Each subkey record values that pertain to specific objects the user accessed on the system, such as Control Panel applets, shortcuts files, programs, etc. These values however, are encoded using ROT-13 encryption algorithm. This encryption is easy to decipher using online ROT-13 decoder, such as http://www.edoceo.com/utilis/rot13.php.
Your browser may not support display of this image.
UserAssist Key
Your browser may not support display of this image.
ROT-13 Cipher Decoded
With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. Even though these are not definitive, for they cannot be associated with a specific date and time, it may still indicated a specific action by the user.
CONCLUSION:
Given the popularity of the Windows Operating Systems, it is important for computer forensic experts to understand the complexity of the Windows Registry. The information and potential evidence the exist in the Registry make t a significant forensic resource; uncovering this data can be crucial to any computer related investigation. By understanding the fundamentals of the registry from forensics point of view, an examiner can develop a more accurate account of what occurred on the given machine. This document may not provide conclusive evidence in a registry analysis, but it does present some examples and explanations of what type of data can be found, how they can be found, and why they may be relevant to an examination.
REFRENCES:
Books
1. Derrick J. Farmer:- A Forensic Analysis of The Windows Registry.
2. Derrick J. Farmer: - A Windows Registry Quick Reference: For the Everyday Examiner.
3. Lih Wern Wong:- Forensic Analysis of The Windows Registry.
4. Peter Davies: - Forensics Analysis of the Windows Registry.
Online
1. Online ROT-13 Encoder/Decoder: - http://www.edoceo.com/utilis/rot.php
No comments:
Post a Comment