2. ► Brief overview registry of background
►
► Use RD to find evidence of
► Data exfiltration
► Malware infection
► Anti-forensics tool use
Agenda
2
3. ► Forensics and incident response goldmine
► Logs a wealth of user and system activity
► Timestamps
► Using Windows backup features (System Restore & VSS), we
can recover historical data going back months or longer
(how?)
► Cool: more evidence
► PITA: how do we process/manage it
► How do you currently use these?
Why is the registry interesting?
3
4. ► Removable device activity
► Including serial number and model name
► See stuxnet
► Typed Internet Explorer URLs
► Recently accessed files (per-file-type)
► Networking information
► Per device, used network shares, and more
► Entered search terms (Windows 7)
►
4
5. ► Autoruns
► Timezone info
► Application launch counts
► Mounted devices
► Services
► System install info
► Folder listings
► Routing info
► Firewall rules
►
5
6. ► Open source Python project
► Initially funded by the National Institute of Justice (NIJ)
► Its goal is to automate the acquisition, analysis, and
reporting of registry contents
► Contains two components:
► A live registry hive acquisition tool
► Pulls hives from live machines
► Both current and backups
► Standalone (no installation) executable
► An offline analysis tool
► Discussed next
Registry Decoder
6
7. ► Performs offline analysis of registry files
► Facilitates comprehensive registry analysis of any number of
files within one graphical interface
► Most features are usable on the command line as well (for scripting,
testing, etc., all will be in next release)
► Supports multiple input types
► Uses a pre-processing phase to make analysis afterwards
much faster
Registry Decoder
7
8. ► Case management
► Hive Browsing
► Advanced Search
► Plugin System
► Path-Based Analysis
► Differencing
► Timelining
► Reporting
Analysis Features
8
9. ► Simple, but useful
► Case name, number
► Investigator
► Comments
► Case directory
► Provides persistence
► Data is only pre-processed once
► Close and re-open case at will
Case Management
9
11. ► Similar to other browsing tools (AccessData, regedit, etc)
► Displays key / value pairs and last write time of chosen key
► Hex view of value data
► Tabbed view allows multiple browse windows open
simultaneously
► Can type path and immediately jump there
Hive Browsing
11
13. ► Good tools for intelligent searching across registry hives?
► RD allows users to quickly search for a single term or a
collection of terms (from a file) across any selected hives in a
case
► Multiple types of search parameters:
► Exact or partial matching
► Wildcard matching (*, ?)
► Key name or value name or data
► Start and end date using last write time of keys
Advanced Search
13
15. ► The plugin system allows for targeted analysis of specific
data within the registry
► Mostly robbed from regripper
► Useful for fixed analysis that must be done repeatedly
► Listing MRU documents
► All plugins are in Python, and have access to all Python built-
ins
► We provide an API designed to make plugin development as
painless as possible
► Many plugins are less than 10 lines of Python and require
very little programming ability
Plugins
15
17. ► Hives can be timelined based on the last write time of keys
► Included keys can be filtered by starting and / or ending
time
► Output can be tab-separated (importable in Excel) or in
Sleuth Kit mactime format
► Multiple input registry files can be processed into the same
output timeline
Timelineing
17
19. ► Is there any evidence of USB devices being used?
►
► Is there any evidence of attempts to bypass network web
filtering?
► Are there any evidence of file upload services in use?
Data Exfiltration
19
22. ► There are several places malware like to hide in the registry,
some old, some new.
► Yes, the very old techniques are still in use because they
still work
► There is no comprehensive list, and I am far from the
foremost expert on such things, but following are a few I find
interesting
► RD Plugins exist for some the interested can view the
plugin source for registry locations
► Those so inclined are also invited to write some new plugins
(more info later)
Malware Analysis / Detection
22
23. ► Run* lists (of which there are many)
► HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRu
n
► HKLMSoftwareMicrosoftWindowsCurrentVersionRun
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
► HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRu
n
► HKCUSoftwareMicrosoftWindowsCurrentVersionRun
► HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
► HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices
►
Where is the malware?
23
24. ► Browser Helper Objects
► HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrow
ser Helper Objects
► Manipulation of persistent routes
► HKLMSYSTEMCurrentControlSetServicesTcpipParametersPersist
entRoutes
► Running as services
► HKLMSYSTEMCurrentControlSetServices
► ServiceDLL
mechanism
► HKLMSYSTEMCurrentControlSetServices<service>ParamatersSe
rviceDLL
Where is the malware?
24
25. ► Infected file sharing applications
► Limewire
► Infected antivirus solutions
►
► Application Initialization DLLs
► MicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs
► MUICache, Userassist
► Browser toolbars
► Firewall rules
► Etc.
Where is the malware?
25
26. ► Discover what types of malware are installed?
► Browser-based?
► Rootkits?
► Rogue services?
► Malware in plain sight?
► Are there things in the registry which indicate
malware, even though you may not be able to link it
to a specific executable?
► So, I infected this XP box (story)
So, How Do
26
33. ► Some people do not like to get caught and so take
measures to hide things
► This sometimes just gives the investigator more
crumbs to collect
► Crypto
► Truecrypt, Bitlocker
► Timestamp mucking
► Timestomp
►
► Web proxy services
Scenario 3: Anti-Forensics
33
35. ► Evidence of encrypted storage?
► Evidence of attempts to bypass network web filtering?
► File upload services in use?
► Common anti-forensics software installed/in use?
► Other anti-forensics techniques?
► Assume that the system has been timestomped and so
filesystem timelines are made useless. What information
on recent activity can be had from registry timelines?
How DoWe
35
41. ► Registry forensics is a powerful tool
► Particularly good for triage in some cases
► Stores a wide range of interesting information
► Registry Decoder provides a unified, open source system for
registry analysis and research
► Saves considerable time and effort
► Extensible via plugin system
► Useful for things you might not have thought to use it for
before
► Data exfiltration
► Malware detection / analysis
► Anti-anti-forensics
Conclusion
41