4. Purpose
• The registry contains con
fi
guration data for
the Windows operating system and
application
s
• Many artifacts of great forensic value
5. Hive Files
• Binary
fi
les that store the Registr
y
• Five main registry hives in
%SYSTEMROOT%system32con
fi
g
• SYSTEM, SECURITY, SOFTWARE, SAM, DEFAUL
T
• User-speci
fi
c hive
fi
les in each user's pro
fi
le
director
y
• UsersusernameNTUSER.DA
T
• UsersusernameAppDataLocalMicrosoft
WindowsUSRCLASS.DAT
6. Windows Pro
fi
les
• Created the
fi
rst time a user interactively logs
on to a syste
m
• Users who connect over the network don't
create a pro
fi
le folder
10. Virtual Key Paths
• Dynamically created in a running syste
m
• Not visible on a registry captur
e
• HKEY_Current_Use
r
• Links to HKEY_USERS{SID}
• HKLMSYSTEMCurrentControlSe
t
• Links to HKLMSYSTEMControlSetNN
N
• HKEY_CLASSES_ROO
T
• Merges two subkeys
11. Registry Timestamps
• Only one: LastWriteTim
e
• Stored on a key, not valu
e
• Changed when any value under the key is
added, removed, or change
d
• But not when subkeys' values are modi
fi
ed
12. Example
• Run key: programs that launch on system startu
p
• Cannot determine when these three Run items
were added, without other evidence
13. More Limitations
• Windows frequently updates the
LastUpdateTime for large swaths of registry
key
s
• During updates, and sometimes even from
a reboo
t
• Attackers cannot easily change registry
timestamps, although SetRegTime can do
thi
s
• Link Ch 12o
14. Registry Re
fl
ection and
Redirection
• 64-bit Windows allows 32-bit software to ru
n
• 32-bit programs are redirected by the W0W64
sybsystem to alternate registry keys, lik
e
• HKLMSOFTWAREWoW6432Nod
e
• This means 32-bit forensic software won't see
the whole Registry
17. Basic System Information
• Computer Nam
e
• HKLMSystemCurrentControlSet
ControlComputernam
e
• Windows Versio
n
• HKLMSoftwareMicrosoftWindows NT
CurrentVersio
n
• Time Zon
e
• HKLMSystemCurrentControlSet
ControlTimeZoneInformation
18. Basic System Information
• List of Installed Application
s
• HKLMSoftwareMicrosoftWindows
CurrentVersionUninstall{Appname}
• Mounted Devices (with drive letters
)
• HKLMSystemMountedDevices
19. USBSTOR
• Shows every USB device that has been
connecte
d
• A forensic examiner should look here
fi
rst, to
fi
nd out what other devices should be
requested for discovery, by court order or
search warrant
20. Network Information
• Network adapter con
fi
guratio
n
• Wireless networks previously use
d
• Share
s
• Firewall settings
23. Shim Cache
• Also called "Application Compatibility Cache
"
• Used to track special compatibility settings
for executable
fi
les and script
s
• May include
:
• File name, path, and siz
e
• Last modi
fi
ed dat
e
• Whether the
fi
le actually ran on the system
24. Shim Cache
• Maintained in memory, written to the registry
on shutdow
n
• Maintains up to 1024 entrie
s
• More than Prefetch (128
)
• includes apps that haven't executed ye
t
• Next two slides from link Ch 12a
29. Auto-Run Keys
(Auto-Start Extensibility Points)
• Load programs on system boot, user login,
and other condition
s
• Commonly used by malware to attain
persistenc
e
• Windows provides hundreds of registry-
based persistence mechanism
s
• Some are still undocumented
30. Services
• Most common and widely used persistence
mechanis
m
• Services run in the backgroun
d
• Usually under one of these login account
s
• Local System (most powerful
)
• Network Syste
m
• Local Service
31. Services in the Registry
• Each service has its own subkey unde
r
• HKLMCurrentControlSetservicesservicenam
e
• With this information
:
• DisplayName and Descriptio
n
• ImagePat
h
• How service start
s
• Type of service, such as driver or process
33. Service Control Manager
• Services.ex
e
• Launches Windows services upon startu
p
• Command-line "sc" command lets you
examine, start, stop, and create services
38. Active Setup
• Facilitates software installation and update
s
• Subkeys named with GUIDs (long random-looking
numbers
)
• Malware authors often re-use GUIDs so Googling them
can be usefu
l
• StubPath points to an EXE that will run on startup
39. AppInit_DLLs
• DLLs that will be automatically loaded whenever
a user-mode app linked to user32.dll is
launche
d
• Almost every app uses user32 to draw
windows, etc. (link Ch 12p)
40. AppInit_DLLs
• Starting in Windows 8, the AppInit_DLLs
infrastructure is disabled when secure boot is
enable
d
• Secure boot is a UEFI protocol and not a
Windows 8 feature.
41. LSA (Local Security
Authority) Packages
• Load on startu
p
• Intended for authentication packages, but can
be used to launch malware
42. Browser Helper Objects
(BHOs)
• Add-ons or plug-ins for Internet Explore
r
• Such as toolbars, adware, scarewar
e
• No longer supported in Edge
43. Shell Extensions
• Like Browser Helper Objects, but for
Windows Explore
r
• Add context items when right-clicking a
fi
l
e
• Found at
:
• HKCRCLSID{CLSID}InprocServer32
• HKCR{sub-key}shellex
45. Winlogon Shell
• The shell that loads when a user logs o
n
• Normally set to Explorer.ex
e
• Can be set to any executable
fi
le
46. Winlogon Userinit
• Loads logon and group policy scripts, other
auto-runs, and the Explorer shel
l
• Attackers can append additional executables
to this value
47. Identifying Malicious
Auto-Runs
• Eyeball it, looking for suspicious
fi
les or
paths, spelling errors, broken English, etc
.
• Risky; real commercial software is often
sloppily made, and some attackers are
carefu
l
• Next slide: which item is malicious?
49. Real DLL is iprip.dll
Spelling error but genuine
No description, runs from Temp, but genuine
50. Recommended Steps
1. Exclude persistent binaries signed by trusted
publishers (but not all signed binaries
)
2. Exclude persistent items created outside the
time window of interes
t
3. Examine paths of remaining persistent binarie
s
• Attackers tend to use Temp folders or
common directories within %SYSTEMROOT
%
• Not deeply nested subdirectories speci
fi
c to
obscure third-party applications
51. Recommended Steps
4. Research MD5 hashes for remaining
persistent binaries on VirusTotal, Bit9, etc
.
5. Compare remaining unknowns against a
known "gold image" used to install the
systems
53. Signed Malware
• Attackers have been stealing code-signing
signatures, and signing malwar
e
• Also, not all legitimate persistent
fi
les, even
Windows components, are signe
d
• Sometimes updates remove signatures
56. Personalization
• User hive registry keys contain
personalization settings for each use
r
• First priority: examine compromised
account
s
• Acquire NTUSER.DAT and USRCLASS.DA
T
• Check machine accounts, such as
NetworkService and LocalSyste
m
• May also contain evidence
58. Shellbags
• Used to remember size,
position, and view settings of
window
s
• Persist even if a directory is
delete
d
• Saved in a user’s pro
fi
le
registry hive
59. Shellbags Contain
• Full directory paths accessed via Explore
r
• Date and time of acces
s
• Modi
fi
ed, Accessed, and Created times of
each path recorded when the access
occurre
d
• Such historical records are very useful to
track attacker actions
61. UserAssist
• Tracks applications a user has launched through
the Windows Explorer shel
l
• Populates Start menu with frequently launched
programs
62. UserAssist v. Prefetch
• UserAssist only tracks items opened via
Explore
r
• Including from the Run box and Start men
u
• But not from the command promp
t
• Prefetch
fi
les don't identify which user
executed a program
64. MUICache
• Multilingual User Interfac
e
• Another list of programs executed by a use
r
• HKEY_USERS{SID}_ClassesLocalSettingsSoftware
MicrosoftWindowsShellMuiCache
65. Most Recently Used
(MRU) Keys
• Used by
many
application
s
• No standard
registry
path or
value
naming
convention
67. Explorer Open and Save
MRU
• Files and folders most recently accessed in
the Open and Save dialog menu
s
• RegRipper can
fi
nd the data
68. Start Menu Run MRU
• Programs recently launched from the Run bo
x
• Human-readabl
e
• HKEY_USERS{SID}SoftwareMicrosoftWindows
CurrentVersionExplorerRunMRU
69. RecentDocs
• Recently opened documents (any
fi
le
extension
)
• Used to populate File menu of various
application
s
• HKEY_USERS{SID}SoftwareMicrosoft
WindowsCurrentVersionExplorer
RecentDocs
70. Internet Explorer
TypedURLs & TypedPaths
• Used to populate the address bar drop-down
list in Internet Explore
r
• May contain URLs and paths to local
fi
le
s
• HKEY_USERS{SID}SoftwareMicrosoft
InternetExplorerTypedURL
s
• HKEY_USERS{SID}
SoftwareMicrosoftInternetExplorer
TypedPaths
71.
72. Proves Intent
• User typed (or pasted) these URLs into the
address ba
r
• Didn't just click a link
73. Remote Desktop MRU
• Used to remotely control Windows machine
s
• Maintains history of recent connections and
con
fi
guration dat
a
• May tell you where a user connected and who
they attempted to log in as