http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
6. INTERNET EXPLORER:HKU\S-1-5-21-1116317277-3122546273-4014252621-1000\ Software\Microsoft\ Internet Explorer\Main HKU\S-1-5-21-1116317277-3122546273-4014252621-1000\ Software\Microsoft\ Internet Explorer\TypedURLsThe first Key stores the user's settings, information about search bars, start page, etc. and the second Key stores typed URLs entered into the address field. The last typed URL is "url1" and the first typed URL is "urlx" where "x" is the highest number in the list.7. TIME ZONE INFORMATION:HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation HKLM\Software\Microsoft\WindowsNT\CurrentVersion\TimeZonesThe Value "ActiveTimeBias" in the first Key represents the current time difference from GMT/UTC in minutes and the value "Bias" represents the difference in minutes between GMT/UTC) and local time. For example, Eastern Standard Time has a Bias property value of -300 (minus five hours difference). The second Key's Subkeys store information relating to all the various time zones around the world.8. WINDOWS PROTECTED STORAGE: HKCU\Software\Microsoft\Protected Storage System ProviderThis Key securely stores the encrypted passwords for many applications. Passwords stored here can include those for Outlook Express (passwords created and maintained when the "Remember Password" option is selected), MSN Explorer (MSN Explorer's "Sign In" and "AutoComplete" passwords), and Internet Explorer (protected sites and "AutoComplete" passwords). Since these Values are encrypted, another tool (e.g. Cain & Able, PassView, IE PassView, PStoreView, etc.) would have to be used to (hopefully) decrypt and view the passwords.
Registry Forensics: Attached Devices Artifacts are items of data or information left behind after a specific activity occurs on a system. Generally, any user activity leaves some type of artifact somewhere. Depending on the type of activity, the artifacts can be of enormous forensic importance. For instance, when a user visits a Web site using Internet Explorer, an artifact is left in the browser history and the URL is recorded in the Registry. Likewise, any USB device attached to a system will leave artifacts in several locations. Questions concerning which artifacts are of forensic importance will usually depend upon the type of investigation being conducted. Some examples why a forensic examination of the Registry should be conducted include:Does the system allow USB devices to be recognized?Was a particular USB device attached to a particular computer, and if so can artifacts be collected to assist in identifying the USB device?Did a user connect an unauthorized USB device to his/her computer in violation of company policy?Was an attached USB device infected with malware?Was a USB device connected to download files or applications?Can a timeline be determined during which a particular USB device was attached to a system?1. WRITE BLOCK ALL USB DEVICES • HKLM\SYSTEM\CurrentControlSet\Control USB devices can be write-blocked to prevent someone from attaching a device to a live system and performing a malicious act such as uploading a virus or downloading files and intellectual property. The "StorageDevicePolicies" and "WriteProtect" values can be set to "00000001" to turn on USB write protection in this key. If neither of these two values exists, they can be created by the System Administrator or by the user.2. DISABLE USB DRIVES • HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR USB devices can be prevented from operating when attached to a live system by changing the "Start" value from "0x00000003" to "0x00000004" in this key.3. MOUNTED DEVICES and STORAGE DEVICES Registry keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices (such as USB devices, CD/DVD ROMs, external memory cards, digital cameras, etc.) that had previously been attached to the system will be recorded in certain registry keys. On a live system, "regedit" or "Registry Commander" can be run from a USB device to access these keys. (Inserting this USB device will also make changes to the Registry). The keys can be exported directly from a live system and saved as readable text files.1 2 3 next › last »
• HKLM\SYSTEM\MountedDevices This key contains a list of mounted devices, their associated persistent volume names, Globally Unique Identifiers (GUIDs) for each device that has been attached to the system, the device's name, and its serial number. GUIDs identify objects and are 128-bit values consisting of one group of 8 hexadecimal digits, followed by three groups of 4 hexadecimal digits each, followed by one group of 12 hexadecimal digits. The "Data" for each of the subkeys can be read by double-clicking on a particular entry or exporting the entire key to a text file. Conversely, if the Registry was captured and exported, the key can be examined using a tool such as "Windows Registry Analyzer." The subkeys also contain the information necessary for identifying the volume(s) which can be vital to determine if a particular device was attached to a system. GUIDs for each device are listed as "\??\Volume{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx}." One of the GUIDs should correspond to the "Data" in the "\DosDevices\x:" value. For instance, the GUID and "Data" for a particular USB device was determined to be:Name: "\??\Volume{3cd41b45-8f08-11df-8dd4- 705ab6efe508}"Data:_??_USBSTOR#Disk&Ven_&Prod_Patriot_Memory& Rev_PMAP #093A17A322A6&0#{53f56307-b6bf-11d0-94f2- 00a0c91efb8b}" The "Data" from this GUID corresponded to the "Data" in: Name: "\DosDevices\E:" Data: "_??_USBSTOR#Disk& Ven_&Prod_Patriot_ Memory&Rev_PMAP #093A17A322A6&0# {53f56307-b6bf-11d0-94f2- 00a0c91efb8b}"In this example, a Patriot USB device with the serial number "093A17A322A6" was the last connected USB device on the computer and was designated as the "E" drive. The data also lists another GUID, "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" which can be used to find the same USB device and its serial number in other Keys (e.g. "HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\ {53f56307-b6bf-11d0-94f2-00a0c91efb8b}."• HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\MountPoints2 Each user on a system has their own "NTUSER.DAT" file in their profile. This is the file that is accessed as "HKCU" when the user logs onto the system. If a GUID from the "HKLM\SYSTEM\ MountedDevices" key matches a GUID in this key, then that is indicative of a particular user being logged into the computer when that particular USB device was connected to the system. GUIDs also include the "Last Write Time" for each device that was attached to the system. The GUID "Volume{3cd41b45-8f08-11df-8dd4-705ab6efe508}" from the above example was listed under this key and provided the "Last Write Time" as "2/19/2012 - 12:13 PM."
• HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\ The GUID subkeys include the USB storage device name, its serial number, and other GUID Subkeys where the device name and serial number can also be found. More importantly, a timeline for when each device was attached and then later removed is also captured. The GUID "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" described previously in "HKLM\SYSTEM\MountedDevices" appears four times under this key. Two of the GUIDs (and their subkeys "#") provide the last time the device was connected to the system (listed as the "Last Write Time"):"{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR #Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP #093A17A322A6&0#{53f56307-b6bf-11d0-94f2- 00a0c91efb8b}" "Last Write Time: 2/19/2012 - 11:55 AM"The subkeys "#\Control" and "Control" provide the time that the same device was removed from the system (also listed as the "Last Write Time") which corresponds to the same last write time in GUID "{3cd41b45-8f08-11df-8dd4-705ab6efe508}" under "HKCU\Software\ Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" previously discussed:"{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR #Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP #093A17A322A6&0#{53f56307-b6bf-11d0-94f2- 00a0c91efb8b}\#\Control "Last Write Time: 2/19/2012 - 12:13 PM"
REGISTRY FORENSICS – ATTACHED DEVICES Registry Keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices (such as USB devices, CD/DVD ROMs, external memory cards, digital cameras, etc.) that had previously been attached to the system will be recorded in certain Registry Keys. On a live system, "regedit" or "Registry Commander" can be run from a USB device to access these Keys. (Inserting this USB device will also make changes to the Registry). The Keys can be exported directly from a live system and saved as readable text files.1. MOUNTED DEVICES and STORAGE DEVICES:• HKLM\SYSTEM\CurrentControlSet\Enum\USB\The Subkeys are the serial numbers of devices that have been attached to the system. Each of the Subkeys will record the most recent time a USB device was attached and will also provide the date and time that the device was originally attached to the system. For example, the serial number of the Patriot USB device mentioned in the previous column was "093A17A322A6." Searching for that value provided the following data:"VID_13FE&PID_1F00" "Last Write Time: 7/14/2010 - 12:49 PM""VID_13FE&PID_1F00\093A17A322A6" Subkeys respectively:"Last Write Time: 2/19/2012 - 11:55 AM""VID_13FE&PID_1F00" is a class identifier. Each of the entries in the Key is specific to a particular make and model of USB device. The "Last Write Time: 7/14/2010 - 12:49 PM" represents the first time that the device was attached to the system. This date does not change when the same device is repeatedly reinserted. The second "Last Write Time: 2/19/2012 - 11:55 AM" represents the last time that the same device was attached to the system and corresponds to the same "Last Write Time" found in the "HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\" Subkey "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" (which was also identified in the data described previously in "HKLM\SYSTEM\MountedDevices" Key).• HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Whenever any device is connected to a USB port, drivers are queried and a Subkey, which includes the device's name, is created under this Key. Another Subkey consisting of the serial number of the device is also created. (If the second character is an "&" it is indicative that the device does not have a serial number). The first and last times that each device was attached are also recorded in each Subkey. Searching for the Patriot USB device previously described provided the following data:"Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP" "Last Write Time: 7/14/2010 - 12:49 PM""Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP\093A17A322A6" "Last Write Time: 2/19/2012 - 11:55 AM"These "Last Write Times" are analogous to those discussed above. On a live system, a tool such as "USBDeview" can be used to parse out all the USB storage device information
U3 ENABLED DEVICES:In addition to serving as storage devices, many USB devices can be configured to be used as portable desktops. They include applications that run when the device is attached to a computer. To a host system, U3 devices appear as USB Hubs with attached CD drives and USB storage devices. Windows normally will show two drives, a read only volume on an emulated CD-ROM drive and a regular FAT formatted USB drive. The emulated CD-ROM drive contains an Autorun configuration which launches the U3 LaunchPad. Normally, there is a hidden system folder stored in a CDFS partition on the USB drive that contains the applications. The "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\" Key lists U3 device(s) by their device Class ID, similar to the following:"Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_2.18"• USB SUMMARY:It is not easy for someone to obfuscate the fact that a particular USB device had been attached to a system. Using the "Registry Commander" tool, a search on a live system for the serial number of the previously mentioned Patriot USB device produced a total of seventy-one hits under seventeen different Keys:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt\HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\HKLM\SYSTEM\ControlSet001\Enum\STORAGE\Volume\HKLM\SYSTEM\ControlSet001\Enum\USB\VID_111D&PID_0000\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\HKLM\SYSTEM\ControlSet001\Enum\WpdBusEnumRoot\UMB\HKLM\SYSTEM\ControlSet002\Control\DeviceClasses\HKLM\SYSTEM\ControlSet002\Enum\STORAGE\Volume\HKLM\SYSTEM\ControlSet002\Enum\USB\VID_111D&PID_0000HKLM\SYSTEM\ControlSet002\Enum\USBSTOR\HKLM\SYSTEM\ControlSet002\Enum\WpdBusEnumRoot\UMB\HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\HKLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\HKLM\SYSTEM\CurrentControlSet\Enum\USB\VID_111D&PID_0000\HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\HKLM\SYSTEM\ CurrentControlSet\Enum\WpdBusEnumRoot\UMB2. SYSTEM PRESENCE of USB DEVICES• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Tracing\Microsoft\PlugPlay\SETUPAPI• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLsThese four keys appear to control the "setupapi.dll" file which may determine whether or not logging will occur. The file is located in the "C:\Windows\System32" directory and contains functions used by installation and setup programs. It serves as a dynamic link library controlling the setup, installation, removal, and maintenance of applications and is required for Windows to operate correctly. Specifically, this includes installing and queuing files, logging of files as they are installed, updating the Registry, notifying the user of any installation errors, starting or restarting the computer, copying files, and accessing the routines that control device installation. All of these activities are logged. Any errors or warnings that may arise during a particular activity are also logged and that information can assist with troubleshooting or debugging activities.• "setupapi.dev" FILE:This file is located in the "C:\Windows\inf\" directory and is text-readable and forensically important. It is essentially a device installation log. Whenever a removable storage device is connected to a computer for the first time, the Plug and Play Manager makes note of the new device's presence, queries the device for identifying information, creates a class identifier for the device, and locates the appropriate device driver. This information is recorded in the log file. For instance, when the Patriot USB device previously mentioned was connected to a USB port for the first time, the Plug and Play Manager received an event notification, queried the device to develop a class identifier, and attempted to find an appropriate driver:"[Device Install (Hardware initiated) - USBSTOR\Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP\093A17A322A6]Section start 2010/07/14 12:49:37.659"Information from the file provided the device serial number (093A17A322A6) and the date and time the device was first attached (2010/07/14 12:49). A Key was also created under "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\" which used the device Class ID "Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP." Under this Key another Key was created which used the serial number of the device. A unique system generated identifier would have been created if the device did not have a serial number.J
REGISTRY FORENSICS – SECURITY IDENTIFIERSSecurity Identifiers (SIDs) are unique alphanumeric character strings of variable length that are assigned during the log-on-process to each user on a stand-alone system or to each user, group, and computer on a domain-controlled network. Windows uses SIDs instead of usernames. For instance, when a username and password are entered, Windows must verify that the password for the username matches what is stored. The Registry is queried to determine what SID is associated with the username. From that point forward, Windows then grants or denies access and privileges to resources based on Access Control Lists (ACL), which use SIDs to uniquely identify users and/or their group memberships. SIDs can be resolved to users. For a non-domain logon, user authentication is carried out locally in the Security Account Manager (SAM). When a user logs onto a domain, the authentication occurs in the active directory of the domain controller. Essentially, SAMs are security databases which contain hashed passwords and usernames. They are also a Registry Hive.1. SECURITY ACCOUNTS MANAGER (SAM):HKLM\SAM\Domains\Account\Aliases\MembersHKLM\SAM\Domains\Account\UsersSAM is not accessible through the normal Registry view on a live system. After exporting the Registry, it can be accessed using a tool such as Registry Viewer. Information such as the user name, logon count, last logon time, last password change, last failed logon, and so on are stored in the user account(s). The SAM will also list one or more SIDs.2. SECURITY IDENTIFIERS (SIDs):HKU\HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfilelistSIDs are located in both of these Keys. User SIDs can be found under the value "Profilelist" as Subkeys (which were created at the time a user logged onto the system). The value "ProfileImagePath" will list the path to that particular user's profile. At the operating system level, SIDs identify accounts beyond question. A multi-user system would look something like this:HKU\.DEFAULTHKU\S-1-5-18HKU\S-1-5-19HKU\S-1-5-20HKU\S-1-5-21-1116317227-3122546273-4014252621-1000HKU\S-1-5-21-1116317227-3122546273-4014252621-1000_ClassesHKU\S-1-5-21-1116317227-3122546273-4014252621-1003HKU\S-1-5-21-1116317227-3122546273-4014252621-1003_ClassesThe first four Keys are the System Accounts and are generally the same from computer to computer. HKU\.DEFAULT contains global user information. HKU\S-1-5-18 pertains to the "LocalSystem Account." HKU\S-1-5-19 is used to run the local services and is the "LocalService Account." HKU\S-1-5-20 is the "NetworkService Account" that is used to run the network service(s). The other Subkeys are the unique SIDs which are associated with individual users who have logged onto the system. Their interpretation is as follows:"S" identifies the string as a SID."1" is the version of the SID specification."5" is the identifier authority value."21-1116317227-3122546273-4014252621" is the domain or local computer identifier and differs from computer to computer since it corresponds to unique individual user accounts."1000" is the Relative ID (RID). Any group or user not created by default will have a RID of 1000 or greater."1000_Classes" contains the per-user file associations and class registration."1003" is Relative ID (RID) of another user on the same system."1003_Classes" contains the second user's file associations and class registration.1 2 next › last »
REGISTRY FORENSICS – FOLDER STRUCTURESHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersThe first two Keys list the various default paths to many locations of potential forensic interest, such as a user's "Cookies," "Desktop," "Favorites," "History," "My Pictures," "My Video," "Recent Items," and "Start Menu." For instance, the default path for a user's "My Pictures" and "My Video" is "%USERPROFILE%\Pictures" and "%USERPROFILE%\Videos" respectively. Similarly, the third Key lists the paths to the various locations in each of the individual user directories starting from the root directory ("C:\Users\{User Name}\My Pictures" and "C:\Users\{User Name}\My Videos" for the above examples). These can be changed to point to another location, possibly a hidden directory, or a hidden partition where probative information could be stored.HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1024x768x96(1)A user may use more than one desktop and may have different files, folders, applications, or shortcuts on each of those desktops. This Key lists the user's desktop screen resolution under the "ItemPos" value (e.g. "ItemPos1024x768x96(1)"). The "Data" value for a particular screen resolution will contain the user's links to applications (e.g. "Powerpoint.lnk), applications on the desktop (e.g. Autoruns.exe), the names of files and their extensions (e.g. Registy.pdf), and the names of folders.(Note: Software tools mentioned in this column should not to be considered as an endorsement of those tools by Forensic Magazine or by the author. Prior to purchasing commercial tools or obtaining freeware tools, investigators and examiners should research those that are available to determine which best meet their technical and operational performance parameters. After procurement, the tools functionality must be verified before being used for forensic examinations.)John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the "Handbook of Digital & Multimedia Forensic Evidence" published by Humana Press. He can be reached at jjb@digforcon.com.« first ‹ previous 1 2
http://www.forensicmag.com/article/windows-7-registry-forensics-part-7?page=0,1
More articles
No comments:
Post a Comment