Menu
- Understanding And Using Windows 10
- Understanding Windows Registry Hives And Folder Structure
- Understanding Microsoft Windows 10
- Understanding Windows 10
- Understanding Windows Registry Pdf
- Understanding Windows Registry Structure
Windows Registry is one of the mysterious parts of the Windows operating system that allows us to tweak and modify almost all the sections of Windows. Even though we work with the registry all the time, most people have only a little understanding of what it really is and are not sure of how to. The Registry contains information used by Windows and your programs. The Registry helps the operating system manage the computer, it helps programs use the computer’s resources, and it provides a location for keeping custom settings you make in both Windows and your programs. For example, when you change the Windows desktop, the changes are stored. Whenever a user installs a software program/application, a hardware or a device driver for a newly connected hardware in a Windows based computer system, the initial configuration settings of these are stored as keys and values in a system defined, central hierarchical database repository called Windows Registry.
Although nearly all Microsoft Windows users are aware that their system has a registry, few understand what it does, and even fewer understand how to manipulate it for their purposes. As a forensic analyst, the registry can be a treasure trove of evidence of what, where, when, and how something occurred on the system.
In this article, I want to help you to understand how the Windows registry works and what evidence it leaves behind when someone uses the system for good or ill.
What Is the Registry?
The registry is a database of stored configuration information about the users, hardware, and software on a Windows system. Although the registry was designed to configure the system, to do so, it tracks such a plethora of information about the user's activities, the devices connected to system, what software was used and when, etc. All of this can be useful for the forensic investigator in tracking the who, what, where, and when of a forensic investigation. The key is just knowing where to look.
Hives
Inside the registry, there are root folders. These root folders are referred to as hives. There are five (5) registry hives.
- HKEY_USERS: contains all the loaded user profiles
- HKEYCURRENT_USER: profile of the currently logged-on user
- HKEYCLASSES_ROOT: configuration information on the application used to open files
- HKEYCURRENT_CONFIG: hardware profile of the system at startup
- HKEYLOCAL_MACHINE: configuration information including hardware and software settings
Registry Structure
The registry is structured very similarly to the Windows directory/subdirectory structure. You have the five root keys or hives and then subkeys. In some cases, you have sub-subkeys. These subkeys then have descriptions and values that are displayed in the contents pane. Very often, the values are simply 0 or 1, meaning on or off, but also can contain more complex information usually displayed in hexadecimal.
Accessing the Registry
On our own system—not in a forensic mode—we can access the registry by using the regedit utility built into Windows. Simply type regedit in the search window and then click on it to open the registry editor like that below.
The audit tool will tell you wehre most of the space is used ( graphics, fonts etc) then you can make decisions on what to get rid of to make the file smaller.Hope this helps,DimitriWindJack Solutions. If that does not decrease the size enough you can look at Audit Space Usage in the PDF Optimizer tool ( File-Save As-Optimized PDF).
Information in the Registry with Forensic Value
As a forensic investigator, the registry can prove to be a treasure trove of information on who, what, where, and when something took place on a system that can directly link the perpetrator to the actions being called into question.
Information that can be found in the registry includes:
Mississippi is a study in contrasts, much longer than it is a wide, with highways in its north and curving coastal roads in its south, and the road to mastering them both to get your driver’s permit starts with studying this: the Mississippi Driver’s Handbook. We provide the very latest version, directly from the Mississippi Department of Public Safety, so you have the very latest. If you're applying for a Mississippi commercial driver's license (CDL), you'll need to study the MS Commercial Driver's License Manual (REV 2017). (Pick up a hard copy at a MS DPS office for $3.) In the commercial drivers DMV handbook you'll find a range of information about driving with a commercial driver's license (CDL), such as. Mississippi drivers handbook manual 2019.
- Users and the time they last used the system
- Most recently used software
- Any devices mounted to the system including unique identifiers of flash drives, hard drives, phones, tablets, etc.
- When the system connected to a specific wireless access point
- What and when files were accessed
- A list any searches done on the system
- And much, much more
Wireless Evidence in the Registry
Many hackers crack a local wireless access point and use it for their intrusions. In this way, if the IP address is traced, it will lead back to the neighbor's or other wireless AP and not them.
For example, back in January 2012, an Anonymous member, John Borrell III, hacked into the computer systems of the Salt Lake City police department and the Utah Chiefs of Police. The FBI was called in to investigate and they traced the hacker back to the IP address of Blessed Sacrament Church's Wi-Fi AP in Toledo, Ohio. The hacker had apparently cracked the password of the church's wireless AP and was using it to hack 'anonymously' on the Internet.
Eventually, the FBI was able to find the suspect through various investigation techniques, mostly low-tech, exhaustive, detective work. It helped that John Borrell had bragged on Twitter of his success as a hacker. Eventually, Mr. Borrell was convicted and sentenced to two years in Federal prison.
When the FBI tracked down Mr. Borrell and seized his computer, they were able to prove he had been connected to the church AP by examining his registry. The forensic investigator simply had to look in the registry at this location:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkListProfiles
There, you will find a list of GUIDs of wireless access points the machine has been connected to. When you click on one, it reveals information including the SSID name and the date last connected in hexadecimal. So, although Mr. Borrell initially denied his involvement with this hack, this evidence was conclusive and he eventually plead guilty.
You can see in this screenshot below showing the perpetrator had connected to the 'HolidayInnColumbia' SSID in November 2014.
Understanding And Using Windows 10
The RecentDocs Key
The Windows registry tracks so much information about the user's activities. In most cases, these registry keys are designed to make Windows run more efficiently and smoothly. As a forensic investigator, these keys are like a road map of the activities of the user or attacker.
One of those keys is the 'RecentDocs' key. It tracks the most recent documents used or opened on the system by file extension. It can be found at:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs
So, for instance, the most recently used Word documents would be found under .doc or the .docx extension depending upon the version of Word they were created in (each key can hold up to the last 10 documents). If we go to the .docx extension, we see the last 10 Word documents listed under this key.
When we click on one of those keys, it reveals information about the document as seen below. We can view the document data in both hex, to the left, and ASCII, to the right. In this case, it show that this document was a Metasploit course outline.
In some cases, an attacker will upload a .tar file, so that is a good place to look for breach evidence. In general, you won't see a .tar file extension on a Windows machine, so the presence of an entry here would be something that needs further investigation. Check the files in the .tar key and see what they might reveal about the attack or attacker.
In civil or policy violation investigations, evidence might be found in the various graphic file extensions such as .jpg, .gif, or .png.
TypedURLs Key
When the user types a URL in Internet Explorer, this value is stored in the registry at:
- HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerTypedURLs
When we open that key in the registry, it lists the last URLs that the user visited with IE. This could reveal the source of malicious malware that was used in the breach, or in civil or policy violation types of investigations, may reveal what the user was looking for/at.
The values will run from urI1 (the most recent) to urI25 (the oldest).
IP Addresses
The registry also tracks the IP addresses of the user interfaces. Note that there may be numerous interfaces and this registry key tracks each interface's IP address and related information.
HKEY_LOCAL_MACHINESystemServicesCurrentControlSetservicesTcpipParametersInterfaces
As we can see below, we can find the IP address assigned to the interface, the subnet mask, and the time when the DHCP server leased the IP. In this way, we can tell whether the suspect was using that particular IP at the time of the intrusion or crime.
Start Up Locations in the Registry
Understanding Windows Registry Hives And Folder Structure
As a forensic investigator, we often need to find what applications or services were set to start when the system starts. Malware is often set to start each time the system restarts to keep the attacker connected. This information can be located in the registry in literally tens of locations. We will look at a just a few of the most commonly set keys.
Probably the most used location is:
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Any software/locations designated in these subkeys will start every time the system starts. Rootkits and other malicious software can often be found here and they will start each time the system starts.
RunOnce Startup
If the hacker just wanted the software to run once at start up, the subkey may be set here.
Understanding Microsoft Windows 10
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
Start Up Services
The key below lists all the services that set to start at system startup. If the key is set to 2, the service starts automatically; if it is set to 3, the service must be started manually; and if the key is set to 4, the service is disabled.
- HKEY_LOCAL_MACHINESystemCurrentControlSetServices
Understanding Windows 10
Start Legacy Applications
When legacy 16-bit applications are run, the program listed is run at:
- HKEY_LOCAL_MACHINESystemCurrentControlSetControlWOW
Start When a Particular User Logs On
In the following key, the values are run when the specific user logs in.
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Storage Artifacts in the Registry
Often, the suspect will use a Flash drive or hard drive for their malicious activities and then remove them so as not to leave any evidence. The skilled forensic investigator, though, can still find traces of evidence of those storage devices within the registry, if they know where to look.
The registry on a Windows system varies a bit from version to version. A skilled, professional digital forensic investigator needs to be able to work with nearly all versions of Windows and other operating systems. Since Windows 7 is still the most widely used operating system, by far, I will be demonstrating on it. Keep in mind, though, that this will vary slightly between versions.
USB Storage Devices
Imagine a case where we suspect that someone installed a keylogger or removed confidential information with a USB drive. How would we find evidence that a USB storage device was inserted and used? To find evidence of USB storage devices, we want to look at the following key.
HK_Local_MachineSystemControlSet00xEnumUSBSTOR
In this key, we will find evidence of any USB storage device that has ever been connected to this system. Expand USBSTOR to see a listing of every USB storage device ever connected to this system.
In the screenshot above, I have circled one suspicious looking USB device. When we expand it, it reveals a unique identifier for that device. By clicking on this identifier, we can find much more information about the device.
As you can see in the screenshot above, when we click on the USB storage identifier, it reveals in the right-hand window the Global Unique Identifier (GUID), the friendly name, and the hardware ID, among other things. This may be exactly the evidence we need to tie the suspect to their activity on this system!
Understanding Windows Registry Pdf
Mounted Devices
If the suspect used any hardware device that must be mounted to either read or write data (CD-ROM, DVD, hard drive, flash drive, etc.), the registry will record the mounted device. This information is stored at:
HKEY_LOCAL_MACHINESystemMountedDevices
As you can see below, when we click on this key, it provides us a long list of every device ever mounted on that machine.
If we need further information on any of those mounted devices, we can simply click on it, and it will open a small app that will enable us to read the data in ASCII. As you can see, this device was an IDE CD-ROM manufactured by Teac.
If there is not a TEAC CD_ROM on the system, the forensic investigator now knows that they need to find this piece of hardware to find further evidence of the crime.
Understanding Windows Registry Structure
The registry is a depository of volumes of information on what happened on a Windows system, and by learning our way around it, we can reconstruct the elements of a crime that it was used for.