1 Understanding the Windows Registry

!  Registry
!  A database that stores hardware and software configuration
information, network connections, user preferences, and
setup information

Windows System Artifacts !  To view the Registry, you can use:

!  Regedit (Registry Editor) program for Windows 9x systems
!  Regedt32 for later versions
COMP 2555: Principles of Computer Forensics
Autumn 2014
http://www.cs.du.edu/2555

L6: Windows System Artifacts

2 Organization of the Windows Registry
3 Windows Registry Viewer

!  Registry terminology:
!  Registry
!  Registry Editor
!  HKEY
!  Key
!  Subkey
!  Branch
!  Value
!  Default value
!  Hives
L6: Windows System Artifacts

L6: Windows System Artifacts

4 Configuration Files in Windows 9x/Me
Filename and location
Windows\System.dat
Windows\User.dat
Windows\profile\user-account
5 Configuration Files in NT/2000/XP/Vista
Filename and location Purpose
Purpose Documents and Settings\user- User-protected storage area; contains the MRU files
User-protected storage area; contains installed account\Ntuser.dat list and desktop configuration settings
program settings, usernames and passwords
associated with installed programs, and system Winnt\system32\config\Default Contains the computer’s system settings
settings
Winnt\system32\config\SAM Contains user account management and security
Contains the most recently used (MRU) files settings
list and desktop configuration settings; every
user account created on the system has its
Winnt\system32\config Contains the computer’s security settings
own user data file
\Security
Winnt\system32\config Contains installed program settings and associated
\Software usernames and paswords

L6: Windows System Artifacts

L6: Windows System Artifacts

Winnt\system32\config\System Contains additional computer system settings

6 Typical HKEYs
7 A Few Interesting Places

HKEY Function !  Use ProDiscover Basic to extract the Registry related

HKEY_CLASSES_ROOT Symbolic link to HKEY_LOCAL_MACHINE files from an image
(HKCR) \SOFTWARE\Classes; provides file type and file
extension information, URL protocol prefixes, etc. !  Use AccessData Registry Viewer to see what
HKEY_CURRENT_USER Symbolic link to HKEY_USERS; stores settings for the information you can find in these files
(HKCU) currently logged-on user
HKEY_LOCAL_MACHIN Contains information about installed hardware and
E (HKLM) software !  System Hive: HLKM\SYSTEM
HKEY_USERS (HKU) Stores information for the users; only one key in this !  Running services: CurrentControlSet\Services
HKEY is linked to HKEY_CURRENT_USER
HKEY_CURRENT_CON Symbolic link to HKEY_LOCAL_MACHINE\SYSTEM
FIG (HKCC) \CurrentControlSet\HardwareProfile\xxxx (with xxxx !  Software Hive: HKLM\SOFTWARE
representing current hardware profile); contains
!  Installed application: keys at hive root
L6: Windows System Artifacts

L6: Windows System Artifacts

hardware configuration settings
HKEY_DYN_DATA Used only in Windows 9x/Me systems; stores hardware !  Install info: Microsoft\Windows\CurrentVersion\Uninstall
(HKDD) configuration setttings !  Check \Software\Microsoft\Windows\CurrentVersion\Uninstall in
NTUSER.DAT hive for user-specific application installs
8 A Few Interesting Places
9 A Few Interesting Places

!  Software Hive: HKLM\SOFTWARE !  User Hive: HKCU\ or HKU\<profile id>

!  File extension analysis: subkeys in the Classes key !  NTUSER.DAT and USRCLASS.DAT
!  useful for standalone applications (that do not appear in the !  Search in Start Menu: Software\Microsoft\Windows
Registry) \CurrentVersion\Explorer\WordWheelQuery
!  Network list: Microsoft\Windows NT\CurrentVersion !  Key ACMru in Windows XP
\NetworkList\Signatures !  Recently executed programs: Local Settings\Software
!  Follow up using GUID on: NetworkList\Profiles \Microsoft\Windows\Shell\MUICache
!  Scheduled tasks: Tree\Microsoft\Windows in Windows 7, or !  User activity: Software\Microsoft\Windows\CurrentVersion
Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache \Explorer\UserAssist
earlier
!  Recent documents: Software\Microsoft\Windows
\CurrentVersion\Explorer\RecentDocs

L6: Windows System Artifacts

L6: Windows System Artifacts

10 Timelines
11 Creating Timelines

!  Events occur on a system all the time !  You may begin with a timeline of all events in the system
!  System restore points are created (every 24 hours) !  Collect all activities with time stamps
!  Hard drive is de-fragmented (every three days) !  Scan through them to find what is meaningful
!  Files are created, modified, and deleted
!  Registry keys and values are created by applications !  Build a timeline a layer at a time based on the goals of
!  … the analysis
!  Many of these events are logged in multiple places !  Begin with activity logs that might be related to the event in
across the system question
!  Add more data sources to bring the available context into
focus
!  A timeline is a summary of these events ordered by
L6: Windows System Artifacts

L6: Windows System Artifacts

time
!  Time data in some places may be easily mutable; may
not be in others
12 Time Formats
13 Parts of a Timeline Entry

!  64-bit FILENAME format !  Time: when did en event occur?

!  number of 100-nanosecond intervals since January 1, 1601 !  Source: from where is this entry extracted?
!  32-bit Unix format !  The data source
!  number of seconds since January 1, 1970 relative to UTC !  File system, registry, log file, etc.
time zone !  System: some form of device identifier
!  String format !  Hostname, IP address, MAC address, etc.
!  01/02/2010 2:00 PM (local time zone) !  User: user associated with the event
!  Windows SYSTEMTIME format !  Depends on whether user information is available in the
!  8x32-bit structure encoding (year, month, day-of-week, day, time-stamped data
hour, minute, second, millisecond) !  Description: brief description of the event

L6: Windows System Artifacts

L6: Windows System Artifacts

!  Application’s own format !  Warning, info, error messages from log files

14 Data Sources
15 File System Metadata

!  File System metadata !  Standard Information attribute (0x10) has four time-
!  Event logs stamps
!  Prefetch files !  MACE: file Modified, file Accessed, file Created, MFT Entry
modified
!  Jump lists (Windows 7)
!  Filename attribute (0x30) also has same four time-
!  Recycle bin stamps
!  Registry !  But times here correspond to the time of first creation,
access or modification

!  Time-stamps in standard information attribute can never

be earlier than those in filename attribute
L6: Windows System Artifacts

L6: Windows System Artifacts

16 NTFS Time Handling
17 Event Logs

!  Last access times can be delayed by up to an hour
!  In order to improve performance in high-volume file servers
!  Updates can be fully disabled by creating a registry entry
!  Create NtfsDisableLastAccessUpdate=1 in HKLM\SYSTEM
\CurrentControlSet\Control\FileSystem
!  Windows records details of events in special log files
!  Special binary format in Windows 2000/XP/2003
!  Magic number: “LfLe” at offset 0x4 of each record
!  Four bytes prior to magic number is record size
!  Binary XML format in Windows Vista/7

!  File system tunneling !  Types of logs

!  FAT and NTFS reuses file metadata if a file is deleted and !  Application: events logged by programs
immediately (within 15 seconds) recreated !  E.g. database program logging a file error
!  Affects: delete(A)/create(A), delete(A)/rename(B,A), !  Security: logon auditing and system resource use
rename(A,B)/create(A), rename(A,B)/rename(C,A) !  E.g. valid invalid login attempts, creation/deletion/access of files

L6: Windows System Artifacts

L6: Windows System Artifacts

!  Change time interval in registry !  System: logs from system components
!  Create MaximumTunnelEntryAgeInSeconds=<time> in HKLM !  E.g. unable to load a driver
\SYSTEM\CurrentControlSet\Control\FileSystem

18 Event Log Entries

19 Log File Location

!  Date and time of event !  Before Windows Vista, log file locations are specified in
!  User and host the registry
!  Event ID !  HKLM\System\CurrentControlSet\Services\EventLog
!  Three subfolders: System, Application and Security
!  a number signifying the event
!  FILE entry shows path to log files
!  www.eventid.net
!  Default: C:\Windows\System32\Config
!  www.ultimatewindowssecurity.com/securitylog/encyclopedia/
!  Source of event
!  Starting with Vista
!  Type !  HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\
!  Error, warning, information, success audit, or failure audit !  Default FILE value C:\Windows\System32\Winevt\Logs
L6: Windows System Artifacts

L6: Windows System Artifacts

!  Also has a Setup event log
!  Logs application setup information
20 Tools for Log File Analysis
21 Prefetch Files

!  Windows XP binary formats !  Prefetching

!  Mount acquired image in a professional tool (e.g. !  Often an application is loaded in parts
ProDiscover) and use in-built event viewer !  The disk is accessed for those parts as and when they are
!  Obtain the event log file and extract event records needed
!  Keeping a trace of the loading process helps quicken the
!  XML format application startup
!  By collectively loading the required parts before they are needed
!  Microsoft Logparser tool

!  Windows keeps a trace of what parts of the application

files are loaded in prefetch files
!  .pf files in C:\Windows\Prefetch

L6: Windows System Artifacts

L6: Windows System Artifacts

!  NTOSBOOT-B00FAAD.pf – special prefetch file for Windows
boot process

22 Forensic Value of Prefetch Files

23 Windows Shortcuts

!  Run count !  Link to another file/folder on the system

!  Number of times application has been run !  Is itself a file, so has its own time stamps
!  Volume !  Also encodes snapshot of target MACE times before it
!  Identity of media storage device was last opened
!  Last run time !  Also encodes size of target file before it was last opened
!  The last time the application was run
!  Files
!  Files and directories used during the application’s startup

!  Offsets for this data in the prefetch files are different in

L6: Windows System Artifacts

L6: Windows System Artifacts

Windows XP and Windows 7
!  See reference page
24 Jump Lists
25 Jump List Format

!  List of recently opened files in a given application !  Uses structured storage file format (OLE compound)
!  Introduced in Windows 7 !  Entries are called jump list streams
!  Right click on program icon in TaskBar to see the list !  Jump list streams have same format as Windows
shortcuts
!  Stored in the user’s directory !  All information you can obtain from shortcuts are also
!  AppData\Roaming\Microsoft\Windows\Recent available here
\AutomaticDestinations !  They can also hold command line options in certain
!  File extension .automaticDestinations-ms programs
!  File name are special identifiers of programs !  E.g. C:\Windows\System32\mstsc.exe /v:``192.168.1.24`` in
!  E.g. “adecfb853d77462a” is MS Word 2007 the Terminal Services Client

L6: Windows System Artifacts

L6: Windows System Artifacts

!  The “DestList” stream stores time-stamps when the
other streams were accessed (useful for sorting)

26 Recycle Bin
27 Recycle Bin INFO File

!  A temporary place for deleted files !  Windows XP

!  Special INFO2 file maintains an index of
!  Original filename
!  Windows XP
!  Location of deleted file
!  RECYCLER directory
!  When file was deleted
!  Deleted file moved to a subdirectory named according to
!  www.csisite.net/downloads/INFO2.pdf
user identifier
!  Name changed: starts with D, followed by drive letter, then a
number !  Windows Vista and 7
!  One file (544 bytes) starting with $I for each deleted file
!  Windows Vista and 7 !  Has data similar to INFO2, but for just one file
Hidden $Recycle.Bin directory http://www.forensicfocus.com/forensic-analysis-vista-recycle-bin
L6: Windows System Artifacts

L6: Windows System Artifacts

!  ! 

!  Name changed: $R, followed by six characters

28 Backed Up Files
29 Hibernation Files

!  System Restore Points !  Hiberfil.sys

!  C:\System Volume Information\_restore{… !  Compressed contents of Windows memory when the
!  Backups registry, system files and application executables system goes to sleep
!  System restores are logged
!  http://windowsir.blogspot.com/2006/10/restore-point-forensics.html !  May contain processes and network connections from
some point in the past
!  Volume Shadow Copies
!  A backup of every block of the partition !  Will have to know how running programs are stored by
!  Allows one to restore individual files Windows in memory
!  Tools like vssadmin and mklink allow you to list and mount !  A.k.a Memory Forensics

L6: Windows System Artifacts

L6: Windows System Artifacts

shadow copies

30 References

!  Ch 6: B. Nelson, A. Phillips and C. Steuart, Guide to

Computer Forensics and Investigations
!  File system tunneling: http://support.microsoft.com/kb/
q172190
!  Event logs (Windows XP): http://support.microsoft.com/kb/
308427
!  Prefetch file format: http://www.forensicswiki.org/wiki/
Prefetch
!  Jump list IDs: http://www.forensicswiki.org/wiki/
List_of_Jump_List_IDs
L6: Windows System Artifacts

!  THE INTERNET