Thursday, July 30, 2015

Windows Registry and Registry Artifacts

During the next few minutes I will explain the Windows Registry and why it's important to the us.  I'd like to start by saying that the each version of the Windows operating system varies.  An entry that exists in Windows XP may not exist in Windows Vista but appear again in Windows 7; however, the majority of the these entries will exist in one form or another.  Despite the varying entries an incredible amount of information can be gleaned from the Registry.  As a rule of thumb I will be reference registry information for Windows 7 or later.

DISCLAIMER - Modifying the registry is a dangerous operation and can very possibly make your system unusable (at least temporarily).  This entry is not intended to help you modify a registry but instead help you identify information about how you can use the registry to obtain important information about a Windows based computer.

A Definition:

The Windows Registry is an Hierarchical Database containing settings for the Windows Kernel, Security, Drivers, and other important configurations that make the Operating System function.
The database is made up of KEYS.  There are a total of 5 keys in the majority of modern version of Windows.  





While a computer is up and running these registry entries are stored in RAM and maintained by the operating system there.  They are written to disk before shutdown.  With that in mind I would like to remind you that a good old fashioned RAM dump is a good way to preserve volatile data. (Thank you Volatility).  As a user on this running computer you can access the registry (and modify it) using the Windows Utility REGEDIT.  To access regedit select Start and Run and simply type in regedit.  A demonstration of regedit can be seen below:

When a system is shut down and the data is written to disk.  Much of the important data is stored in HIVES.  There are five essential hives.  Four of these hives are usually (there is a way to change this) located in C:\Windows\System32\config\.  Those hives are the SAM, SYSTEM, SECURITY, and SOFTWARE hives.  The last one is located in C:\Users\%Username%\ and is the NTUSER.DAT.  These hives are the most important of the hives for us.

For incident response purposes it is also possible to "Export" the registry keys for further analysis on an alternative machine.  To do that from the regedit simply select the key that you wish to export and File > Export.  You will be required to enter a name for the exported item.  You can also select the "ALL" option under "Export Range" during the process to export the complete registry.  I've selected the all option in the example below which is great for backing up a registry, also below you can see that there is an option to export the registry as a txt file that displays the information in a more human readable format:

An example of a txt file export can be seen below.  Be aware that if you export a large registry key it may be too large to open in Notepad.  Wordpad may be able to open the file.  However, if you know what registry information you want you can limit your export to what you need.

So what kind of information can we obtain from the registry?  All kinds of information!  At HKEY_LOCAL_MACHINE\SYSTEM\ControlSet###\Control\TimeZoneInformation\TimeZoneKeyName displays the time zone information:

The NTUSER.dat file shows the users wallpaper name and path for that account, Internet Explorers startpage, Typed URLs and times, or Recent Documents.  The System hive can contain the last normal shutdown time for the machine, time zone information, and the computer name and the Software hive contains the Windows installation date, Registered Owner and Organization information, last logged on username, and more.

So how do we get to this information on an Image File?

From the Windows Operating system we can load these system hives into our REGEDIT utility and view it.  To access the content of an E01 file I would recommend using FTK Imager, mounting the image and accessing the data.

Once the application is open select File > Image Mounting ...

Browse to your Image File and select it by clicking on the ellipses next to the Image File box.

I usually mount the physical and logical level and would always recommend the Block Device/Writable option.  This option doesn't actually change the image, the cache folder selection stores a new file called an Access Data Cache file that stores the changes and sort of acts as a go between.  This is helpful when software needs to make changes to a read only file (like an E01) because it simulates it and most programs cannot tell the difference.

Once the image has been mounted you should see it in the Mapped Image list as seen above.

Next go to regedit, highlight a primary key and select the LOAD HIVE as seen below.

Be very careful when bringing a suspect hive into regedit.  If you select File > Import you will load that hive as if it was your own and royally botch your machine up (that's fixable too but it won't be fun).  DO NOT DO THIS!!!  If you wish to view the exported hive select one of the primary keys (I always do HKEY_LOCAL_MACHINE) and then File > Load Hive.

You will be required to name the new hive.  Once completed the hive will be brought into regedit and you will be able to see it.

Below is regedit with the loaded hive from the suspect's mounted image with FTK mounting the E01 file.  (Windows Upgrade occured between these screenshots but Windows 10 and Windows 7 regedit software is similar or the same.)  Followed by a screenshot of the Registered Owner Information stored in the suspects \SOFTWARE\Microsoft\Windows NT\RegisteredOwner key.

This is the basic information to access these registry hives on a suspect machine using the Windows built in regedit.  As a side note, if you are dealing with the SAM hive, you will have to change the permissions to allow you to access it.

Then don't forget to refresh your view (F5 hotkey) by selecting refresh from the View menu.

If you dig down into the SAM file you can find the User Account Names and the RIDs (in HEX) associated with those Accounts.

You can associate a RID with one of the HEX folders.  Those HEX folders contain the V and F values for that user.

This F value contains a user's Last Login date and times (highlighted above) in 64bit Little Endian.  Password Last Set can be found  starting at offset 18 for 8 bytes and Last Failed Logon can be found at offset 28 for 8 bytes (all 64bit Little Endian).

This is just an example of what the registry holds.  I hope you take some time to look at your own registry and see what other important information you can find hiding in there.

In my next post I will be covering how to view a Windows registry from the Linux environment and listing a bunch of registry values that might be important to your investigation. 

No comments:

Post a Comment