Registry analysis

There is a great deal of activity that occurs under the hood on the Windows operating system. One place that this activity occurs and is documented is in the Windows Registry. The Windows Registry is a database that stores the low-level system settings for the Windows operating system. This includes settings for devices, security, services, and the storage of user account security settings in the Security Accounts Manager (SAM).

The registry is made up of two elements. The first is the key. The key is a container that holds the second element  the values. These values hold specific settings information. The highest-level key is called the root key and the Windows operating system has five root keys, all of which are stored on the disk in the registry hives. These registry hives are located in the %SystemRoot%system32config folder on the Windows file structure:

  • HKEY_CURRENT_USER
  • HKEY_USERS
  • HKEY_CLASSES_ROOT
  • HKEY_LOCAL_MACHINE
  • HKEY_CURRENT_CONFIG

Of the five root keys, the most valuable during an incident investigation is the HKEY_LOCAL_MACHINE or HKLM key. This key contains the following subkeys (these are the ones that are the most interesting during an investigation):

  • SAM: This is the location where the Windows OS stores the user's passwords in the LM or NTLM hash form. The main purpose of the SAM subkey is to maintain the Windows account passwords.
  • Security: This subkey contains the security information of the domain that the system is connected to.
  • Software: The software subkey is the repository for software and Windows settings. This subkey is often modified by software or system installers. This is a good location to check for additions or modifications that have been made to software by malware.
  • System: This subkey stores information about the Windows system configuration. One key piece of evidence that is also included within the system subkey is the currently mounted devices within a filesystem.

Another source of data that can be critical to an incident investigation is the HKEY_CURRENT_USER key. Attackers may make changes to a user account or profile as part of a privilege escalation attack. Changes that have been made to the user's data are recorded in that user's NTUSER.dat file. An NTUSER.dat file is created for every user account on the system and is located at C:Users*UserName*. This file contains the user's profile settings and may provide additional data on the systems that are connected, network connections, or other settings. Data contained within the HKEY_CURRENT_USER key may be of benefit in some incidents where user activity or user account modification of the system is suspected.

Responders can access the various registry hives using Autopsy. Simply navigate to the vol3/Windows/System32/config folder from the file structure in the left-hand pane:

The SAM registry file is located in the center pane:

The actual examination and evidentiary value of registry key settings is, like many aspects of digital forensics, very detailed. While it is impossible to cover all of the aspects of registry forensics in this chapter, or even in this book, it is important for responders to be able to acquire the registry keys for evaluation, and also to have some familiarity with tools that can allow responders to gain some hands-on experience with evaluating registry settings.

In this case, the system, SAM, security, and software registry keys will be acquired for analysis. For this, the analyst can use Autopsy to acquire the proper keys and then examine them with a third-party tool. Let's take a look at how to do this:

  1. First, navigate to the proper folder, /System32/config, on the third volume of the system image.
  2. Next, select the four registry keys using the right mouse button and the Ctrl key. Right-click on one of the files and select Export File(s).
  3. Select a folder to output the registry keys to. In this case, a separate file folder was created to contain the keys. Select Save.
  4. Verify that the registry keys have been saved:

The preceding screenshot shows the four registry files that have been acquired.

Now that the suspect image's registry files have been saved, the analyst can use a third-party tool to examine the registry. In this case, the Registry Explorer/RECmd Version 1.5.1.0 tool, which was developed by Eric Zimmerman, will be used to analyze the registry keys. This freeware application can be downloaded from https://ericzimmerman.github.io/#!index.md. Unzip the file to a safe location and execute the application.

Now that progress has been made in the analysis of the image, the analyst has identified that potential data loss has occurred via a USB device that was attached to the system at some point. While Autopsy has provided us with some information on this, it may be necessary to find out what registry key settings have been changed as a result of the USB being connected. The best location for additional information is contained within the system registry hive.

The Windows operating system records and maintains artifacts of when USB devices such as mass storage, iOS devices, digital cameras, and other USB devices are connected. This is due to the Plug and Play manager, which is part of the Windows operating system. The PnP receives notification that a USB has been connected and queries the device for information so that it can load the proper device driver. Upon completion, the Windows operating system will make an entry for the device within the registry settings.

To determine what USB devices were connected, follow these steps:

  1. Open Registry Explorer.
  2. Click File and then Load Hive.
  3. Navigate to the system registry hive.
  4. Once loaded, the following window will appear:

From here, navigate to the proper USB registry location at ControlSet001EnumUSBSTOR:

  1. Click on the first registry value, 4C530012450531101593&0. The following information will appear in the upper-right pane:

From here, the analyst has a lot of information they need to review. Of particular importance is the HardwareID. Clicking on that section of the output produces the following in the lower-right window:

What the analyst has been able to uncover by evaluating the date and time is that a SanDisk Cruzer Fit was connected to the system. The analyst was able to ascertain that it was connected at 13:38:00 on 03/24/2015. This is critical compared to the date and time that the confidential files were accessed.

As we mentioned previously, registry analysis is a deep subset of digital forensics in and of itself. Whole volumes have been written on the evidentiary value present in the settings and entries in registry hives. At a minimum, responders should be prepared to acquire this evidence for others for further examination. That being said, as responders gain more and more experience and skill, the registry should be an area that can be leveraged for evidence when examining a disk image.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset