Windows Registry Forensics

Information that can be recovered include:

System Configuration
Devices on the System
User Names
Personal Settings and Browser Preferences
Web Browsing Activity
Files Opened
Programs Executed
Passwords
Registry Forensics
Registry Analysis:
Perform a GUI-based live-system analysis.
Easiest, but most likely to incur changes.
Use regedit.
Perform a command-line live-system analysis
Less risky
Use reg command.
Remote live system analysis
regedit allows access to a remote registry
Superscan from Foundstone
Offline analysis on registry files.
Encase, FTK (Access data) have specialized tools
regedit on registry dump.

Physically, the Registry isnt simply one large file but rather a set of discrete
files called hives
The five folder-like structures at the top of the hierarchy are called hives
and begin with designation HKEY (an abbreviation for Handle to a Key).

There are 5 hives, but actually in real Two only HKEY_USERS (HKU) and
HKEY_LOCAL_MACHINE (HKLM).
Other 3 hives are shortcuts or aliases to branches within one of the actual
two hives.
All hives has keys, containing values and sub keys

Name

Abbreviation

HKEY_CLASSES_ROOT

HKCR

HKEY_CURRENT_USER

HKCU

HKEY_LOCAL_MACHINE

HKLM

HKEY_USERS

HKU

HKEY_CURRENT_CONFIG

HKCC

HKEY_CLASSES_ROOT (HKCR)
Maintains the information to ensure that the program opens when it is
executed in Windows Explorer.
i.e which program opens .txt,.bmp file etc
Also it contains additional details on shortcuts, drag-and-drop rules and
information on the user interface, alias for HKLM\Software\Classes
HKEY_CURRENT_USER (HKCU)
Contains the configuration information for the current user. Information like
folders, screen colors, and Control Panel settings.
The alias for a user specific branch in HKEY_USERS. Generic information
usually applies to all users and is found in HKU\.DEFAULT.
HKEY_LOCAL_MACHINE (HKLM)
hardware-specific information that the operating system runs on.
Also contains a list of mounted drives and generic configurations of installed
hardware and applications
HKEY_USERS (HKU)
All user profiles on the systems, including application configurations, and
visual settings.

HKEY_CURRENT_CONFIG (HKCC)

This hive stores information about the systems current configuration. Alias
for: HKLM\Config\profile.

VALUES
Each key has one or more values. There are 3 parts in value, which are
Name, Type and Data
Value Parts

Description

Name

Every value has a unique name in that

particular key.

Type

Values type determines the type of data

value contains. The common value types
in registry for instance are: REG_BINARY
type contains binary data; REG_DWORD
type contains double-word (32-bit) data;
REG_SZ type contains fix-length string
data.

Data

Values data contains data which usually

relates to the values type.

HKLM and HKU are the only root keys that Windows physically stores on
files. HKCU is a symbolic link to sub key in HKU. HKCR and HKCC are
symbolic links to sub keys in HKLM.

The main, core system Registry hive files (specifically, SAM, Security,
Software, Default &System) can be found in the Windows\system32\config

directory
Hive

File Location

HKEY_LOCAL_MACHINE \SYSTEM

\system32\config\system

HKEY_LOCAL_MACHINE \SAM

\system32\config\sam

HKEY_LOCAL_MACHINE \SECURITY

\system32\config\security

HKEY_LOCAL_MACHINE \SOFTWARE

\system32\config\software

HKEY_USERS.DEFAULT

\system32\config\default

In addition there are some hives that dont have associated files due to
their volatility. The system creates and manages these hives entirely in
memory. These hives are consequently temporary in nature and are created
at every system boot. Some examples of volatile hive are:
HKEY_LOCAL_MACHINE \HARDWARE
HKEY_LOCAL_MACHINE \SYSTEM \Clone

WINDOWS REGISTRY SLACK SPACE

Data that have been deleted and left behind in Registry hive files that are
not part
of the active hive file itself.
Forensically interested locations in Registry
Auto run locations that list applications to automatically run when the
computer is booted
Lists of the most recently used files or applications
URLs accessed from a system
All USB storage devices that have been attached to the computer
Internet Search Assistant
Printers, Computers and People
Remote Desktop Connections
MSPaint Recent Files
Mapped Network Drives -

Windows Explorer searches

WordPad Recent Files
Excel Recent Files
Internet Explorer stores its data in the
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer key.
There are three sub keys within the Internet Explorer key that are
important for forensic analyst.
The first is HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main. - Users settings for Internet Explorer are stored in this key,
and contains information such as search bars, form settings, start pages,
etc.
The second and most informative important sub keys is
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs.
Users might have visited unwanted keys and would have deleted that URL's
from this list.
The third sub key that may interest a forensic analyst is
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download.
Shows last directory used to store a downloaded file from Internet Explorer,
giving to the location of where the user stores their files.
Online live analysis of registry
Offline analysis of registry
Tools covered
Live Analysis (Free / Open Source)
Microsoft PowerShell Scripting
Autoruns
SysInternals Tools
Offline Analysis (Free / Open Source)
Registry Decoder
Windows PowerShell
Microsofts task automation framework, consisting of a command-line shell

and associated

scripting language

Built on .NET Framework.

Provides full access to COM and WMI
Administrators to perform administrative tasks on both local and remote
Windows systems.
e.g: After starting PowerShell enter the command string shown below:
Get-ItemProperty HKCU:\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\TYPEDURLS
Autoruns
Shows the various location where various program is configured to run
automatically
using pssec.exe autoruns can be run remotely.
It is possible to access the Windows Registry of a remote system using
regedit.exe or reg.exe. But only the HKEY_LOCAL_MACHINE and
HKEY_LOCAL_USERS keys are directly accessible
Registry Decoder
Its purpose is to help automate the acquisition, analysis and reporting of
the contents of the Windows Registry.
Registry Decoder consists of two components: A live data acquisition tool
(Registry Decoder Live); and an offline analysis tool (Registry Decoder).
Do the registry acquisition first and then This directory can then be
imported into the offline analysis tool.
Once that data is imported, Registry Decoder can perform an offline
analysis of Windows Registry.
To begin the offline analysis a new case will need to be initiated using the
offline tool.
To initiate a new case, just run Registry Decoder and click Next on the
first form. This will then bring you to the case information form.
examination of the MRU lists along with the exam of the Windows Registry
detect which files were written to in removable devices.
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent

Each file in a system is associated with the MAC time.

MAC - Modified, Accessed, and Created
Whenever any file is copied or moved or opened then their accessed time
gets changed
if any changes have been done in the file then both modified & accessed
time gets changed.
Created time comes to play at the time when a file is created
Determining a whether a important file is being copied to a USB Device in
Windows 7
1. Identify the file which is suspected of being copied.
2. Right click on the file and go to properties. Note down the MAC time.
3. Find out the Vendor Id, Product Id & Version
SYSTEM\CurrentControlSet\Enum\USBSTOR
4. Find out the serial number
SYSTEM\CurrentControlSet\Enum\USBSTOR
5. Determine Parent Prefix ID
SYSTEM\CurrentControlSet\Enum\USBSTOR

6. Determine the drive Letter were the Device was Mapped

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices - Perform Search for

Parent Prefix ID
Determine Drive Letter where the device was mapped to, on the basis of
Serial Number obtained from step 4
7. Identify the Volume GUIDs
SYSTEM\MountedDevices- Perform Search for Parent Prefix ID
Identify the Volume GUIDS on the basis of Serial number.
On Right Hand Side, Click on each Name entry to search for the Parent Id
Prefix GUIDs for each device are listed
as \??\Volume{xxxxxxxx-xxxx-xxxxxxxxxxxxxxxxxxxx}.
8. Find out the user that used the specific USB Device
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explore
r\MountPoints2- Search for Device GUID
Find the User Profile that used the specific USB device on the basis of
device GUID.
9. Determine the last time device was connected.
SYSTEM\CurrentControlSet\Control\DeviceClasses \{53f56307-b6bf-11d094f2-00a0c91efb8b}- Perform search for Serial Number
Determine the last time device was connected on the basis of serial number.
Case-1:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2 {GUIDS}
Case-2: It might happen that data is not obtained from case-1, in that case
you can go with case-2.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_125F&
PID_CB40\12B220719217011A

10. Identify the first time device was Connected

Whenever a flash drive is connected for the first time in the system, all its
event is recorded in the file (setupai.dev.log). Search on the basis of device
serial number
C:\Windows\inf\setupapi.dev.log
Discover the first time, the device was connected. For this, the
setupapi.dev.log file is investigated. When ever a flash drive is connected
for the first time in the system, all its event is recorded in this file. Search
on the basis of Device serial number C:\Windows\inf\setupapi.dev.log
Determine first time device connected after last reboot on the basis of serial
number. Right Click here and export to text file and search for last write
time.
From the above section it can be concluded that the data has been copied
into the USB device as the MAC time of the file suspected (xxx.xxx) of being
copied is checked and compared to the time obtained through the registry
analysis, time otained. It was observed from the Modified, Accessed &
Created times of the file in the system that, access times of xxxx.xxx is
changed and is within the vicinity of the last write time of the device.
Hence, it may be concluded that the USB device was connected at that
particular time and now the device is in question. The things analyzed so far
signifies that file has been copied to the USB disk

Determining a whether a important file is being copied to a USB Device in

Windows XP
1. setupapi.log: Since almost all devices now-a-days, are of the type plugand-play, containing their associated driver files written on the device
firmware, the system can install them directly, ruling out need for a
separate installation disk. Whenever such Plug-and-Play USB device is
connected to a system, Plug-and-Play (PnP) manager receives this event
and queries the device description in its firmware, such as manufacturer,
serial no, etc. Upon receiving the information, the PnP manager locates
device drivers and a set of Registry keys are created, as described below.
Above events are recorded in setupapi.log file present in %Windowsdir%
(C:\Windows\setupappi.log) when the device gets connected to the system
for the first time
%Windowsdir%/inf/SetupAPI.dev.log in windows 7
2. Registry Keys created: After the device is identified, a set of registry keys
gets created as follows:
i. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR\<device_c
lass>\<device_unique_id>\
ii. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\DeviceClasses\
{<disk_devices_GUID>}\
iii. <device_class#device_unique_id#{disk_devicesGUID}>\
iv. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\DeviceClasses\
{<volume_devices_GUID>}\
v. <STORAGE_RemovableMedia#ParentId_Prefix#{volume_devices_GUID}>\
vi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\Storage\Removable
Media\<ParentID_Prefix>\
These keys contain details about the device id, driver description,
manufacturer, friendly name, parented prefix, etc. When we connect the
same USB to the system again, a sub-key named control is created under
the above keys. As a result the time-stamp of these keys reflect the last
time the USB was connected to the system
3. Drive letter to which the device gets mounted: USB device when connected
to the system gets assigned to a drive letter (G, H, etc.), which can be
identified through the following key:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

This key contains a value starting with \??\Volume\ that contains binary
data having ParentId_Prefix in the form
<STORAGE_RemovableMedia#ParentId_Prefix# {volume_devices_GUID}>.
This data is also present in the value
\DosDevices\<drive_letter>,
if this USB device was the last device mapped to that drive letter
4. Finding the user profile through which USB device was connected: The
value present in the key
\MountedDevices starting with \??\Volume\{}
occurs only once more in the ntuser.dat hive of the user profile in which the
USB device was connected. Using this value, we can find out the user profile
through which the USB device was connected.
5. Time the drive was last connected to the system: The first time USB device
was connected to a system is found from the setupapi.log file and the
corresponding registry entries. To associate this time with the actual time,
the Registry key
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones, present in
the Software hive is checked.
6. To track if file opened or copied through explorer: If any file is opened
through the explorer by double click on the file name, an entry is created in
the Registry key:
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
If file opened using open file menu or saved using saveas file menu in any
application program, it is noted in theregistry key
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSav
eMRU
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSav
eMRU
These entries are present in the ntuser.dat registry hive of the user profile
identified in 4) above

Refer : section RecentDocs

7. File copy to USB through other modes: Analysis of the file MAC times: If file
is transferred to USB using the copy, cut or send-to context menu option,
no registry entry gets created; and one has to examine both the system
and USB device file system to track the file copy.
Whenever a file is accessed (i.e., copy, move, open or edit), their MAC
(modified, accessed, created) times gets updated. However if the Registry
value NtfsDisableLastAccessUpdate present in the System hive under the
key ControlSet00x\Control\FileSystem\ is enabled, then MAC times are not
updated. By default this value is not present in Windows XP systems. The
MAC times of the files suspected of being copied is checked
8. Analysis of the USB device: Once we have identified the user profile through
which the USB device was connected, and it is established that files have
been copied to the USB, case can be established against that person, and
his USB device is confiscated for analysis. If the copied files are present in
the USB device then, their md5 hash values are compared to the values of
original files. And if files are not present, then unallocated space is analyzed
and files are recovered, if not overwritten till now.

Analysis step-by-step

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerNam
e\ComputerName to get the computer name
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS - BIOS
information and product information. The BIOS information includes the
BIOS release date and BIOS version. Information about the BIOS includes
the product name of the system and its manufacturers name
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcess
or\0 - information about the processors of the system, information includes
the processor name, its speed and vendor identifier
There are a number of elements of information about the user account that
are stored in the Registry. For example a list of user accounts, last login
time of each account, whether it requires a password, whether it is a
disabled or enabled account and the method used to hash the password of
the user account. All of this information is held in the following Registry key
SECURITY ACCOUNTS MANAGER (SAM):
HKLM\SAM\Domains\Account\Aliases\Members
HKLM\SAM\Domains\Account\Users
SAM is not accessible through the normal Registry view on a live system.
After exporting the Registry, it can be accessed using a tool such as
Registry Viewer. Information such as the user name, logon count, last logon
time, last password change, last failed logon, and so on are stored in the
user account(s).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows to
get the last shutdown time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
automatically loaded applications
HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications - The list of
registered application
Skype Analysis
Network Analysis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkCards\

The list of intranet network that the system has been connected to is stored
within the Registry in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Nla\Cache\Intranet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\NetworkList\Nla\Wireless
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Signatures\Managed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Signatures\Unmanaged
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Profiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInfor
mation
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

RecentDocs
Scenario

A suspicious employee left your company on January 28, 2014. You'd like to know
which files were most recently used (opened, saved) on the employee's system
right before he/she left.
Pull the user's NTUSER.DAT. Run RegRipper to easily output the the values within
the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
RecentDocs
Subkeys named after every file extension used on the system (e.g. a
subkey for .zip, .doc, .mp4, etc.).
Each of these subkeys will contain its own MRUListEx value that
keeps track of the order in which files were opened.
Each subkey will store up to 10 numbered values; each numbered
value represents a recently opened file with the extension found in the
subkey's name.

References
http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
http://windowsitpro.com/systems-management/inside-registry
http://windowsir.blogspot.in/