CSN11121/CSN11122 System Administration and Forensics Windows Registry & Timeline r.ludwiniak@napier.ac.uk Lecture Objectives 1. Windows Registry – Structure – Properties – Examples 2. Timeline Analysis – Time Zones – Case Study The Registry Road to Central Depository • DOS – config.sys & autoexec.bat • Windows 3.0 – INI file • Windows 3.1 – Start of the idea of a central repository • Windows 95 and beyond – Establishment and expansion of the registry Understanding the Windows Registry • Registry – A database that stores hardware and software configuration information, network connections, user preferences, and setup information • For investigative purposes, the Registry can contain valuable evidence • To view the Registry, you can use: – Regedit (Registry Editor) program for Windows 9x systems – Regedt32 for Windows 2000 and XP Organisation and Terminology • At the physical level – Files called hives – Located in: %SYSTEMROOT%\System32\config • Keys (analogous to folders) • Values (analogous to files) • Hierarchy: – Hives • Keys – Values Hives Value Key Hive Properties • HKEY_USERS – all loaded user data • HKEY_CURRENT_USER – currently logged on user (NTUSER.DAT) • HKEY_LOCAL_MACHINE – array of software and hardware settings • HKEY_CURRENT_CONFIG – hardware and software settings at startup • HKEY_CLASSES_ROOT – contains information about application needs to be used to open files Registry File Locations and Purposes Windows 7 Root Keys Registry: A Wealth of Information Information that can be recovered include: – – – – – – – – System Configuration Devices on the System User Names Personal Settings and Browser Preferences Web Browsing Activity Files Opened Programs Executed Passwords Forensic Analysis - Hardware Forensic Analysis – User ID • SID (security identifier) – Well-known SIDs • SID: S-1-0 • SID: S-1-5-2 Name: Null Authority Name: Network – S-1-5-21-2553256115-2633344321-4076599324-1006 • • • • S string is SID 1 revision number 5 authority level (from 0 to 5) 21-2553256115-2633344321-4076599324 - domain or local computer identifier • 1006 RID – Relative identifier • Local SAM resolves SID for locally authenticated users (not domain users) – Use recycle bin to check for owners Forensic Analysis - Software Windows Security and Relative ID • The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group. • The Security ID (SID) is used to identify the computer system. • The Relative ID (RID) is used to identity the specific user on the computer system. • The SID appears as: – S-1-5-21-927890586-3685698554-67682326-1005 Forensics Analysis - NTUSER.DAT • Internet Explorer – IE auto logon and password – IE search terms – IE settings – Typed URLs – Auto-complete passwords Forensics Analysis - NTUSER.DAT IE explorer Typed URLs Forensic Analysis – MRU List A “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in case the user returns to them in the future. Essentially, their function is similar to how the history and cookies act in a web browser. Forensic Analysis – Last Opened Application in Windows Forensic Analysis – USB Devices Registry Forensics Case Study (Chad Steel: Windows Forensics, Wiley) Department manager alleges that individual copied confidential information on DVD. No DVD burner was issued or found. Laptop was analyzed. Found USB device entry in registry: PLEXTOR DVDR PX-708A Found software key for Nero - Burning ROM in registry Therefore, looked for and found Nero compilation files (.nrc). Found other compilation files, including ISO image files. Image files contained DVD-format and AVI format versions of copyrighted movies. Conclusion: No evidence that company information was burned to disk. However, laptop was used to burn copyrighted material and employee had lied. Monitoring the Registry • The registry is highly complex, and there is not one single point of reference • Experimentation allows you as an investigator to find out for yourself what has occurred • Real time experimentation helps with postmortem analysis • Regmon (Replaced by Procmon) from Microsoft – Monitors the registry in real time RegRipper The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista and 7) family of operating systems. Date and Time System Time • Determined by booting into the BIOS and comparing it with an external source – Radio Signal Clock or Time Server • CMOS Clock – Complementary Metal Oxide Semiconductor Chip (CMOS) – Accessed by most OS to determine the time Operating System Time • Is embedded within the file system or high level file metadata • Will take into account local time (or not!) • Can confuse an investigation depending on tool configuration and time zone • Will ask for the time from the BIOS CMOS Program Time • Programs will ask for the time from the OS • They can bypass the OS and ask for the time directly from the BIOS • It’s important to check and understand where a program gets its time details from. OS Time – DOS • • • • MS DOS time/date Format (FAT File System) Stored as local time Used for MAC information 32 Bit Structure – – – – – – Seconds (5 bits from offset 0) Minutes (6 bits from offset 5) Hours (5 bits from offset 11) Days (5 bits from offset 16) Months (4 bits from offset 21) Years (7 bits from offset 25) 64 Bit Windows FILETIME • 64 bit number measuring the number of 100ns intervals since 00:00:00, 1st Jan, 1601 – 58,000 year lifetime • Stored in the MFT – MAC C/Unix Time • 32-bit value • Number of seconds elapsed since epoch – 1st January 1970, 00:00:00 GMT • Limit – Monday, December 2nd, 2030 and 19:42:58 GMT Local and UTC time translation • Coordinated Universal Time (UTC) – Effectively the same as GMT • Modern OS calculate the difference between local time and UTC and store the time/date as UTC Local Time vs UTC • 00 DB A2 F7 5C B1 C5 01 (Localtime) – 127703177299680000 • 00 7B B4 7E 7E B1 C5 01 (GMT) – 127703321299680000 • Difference: – 144,000,000,000 • Verify: – 3,600 s in 1 hour. 14,400 in 4 hours. – 100 ns = 10 millionth of a s • 14,400 * 10,000,000 – = 4 hours Time and the Registry • ME/XP/Vista/Windows 7 – HKEY_Local_Machine/System/Current ControlSet/Control/TimeZoneInformation/Bias • ActiveTimeBias – Amount of time (+ or -) to add to UTC – StandardName - Time Zone GMT No adjustment required No adjustment required GMT – Daylight Saving Ahead of GMT – therefore a negative value EST Case Study – Time and Tools C. Boyd, P. Forster, “Time and date issues in forensic computing – a case study”, Digital Investigation, no. 1, pp. 18– 23, 2004 Scenario • Email trace identifies an individual suspected of involvement in communication of child abuse images • Warrant obtained, and Computer equipment seized • Relatively simple examination: – Email traces – Identification of child abuse images Scenario • During examination, the suspect failed to provide an explanation for images • The defence employed an expert to comment on the evidence – Supplied with the forensic images of computer – Police Forensic Statement Expert Report ‘The defendants computer [ID number] was used to access the Internet after it was seized and was in police custody. Approximately 750 records of Internet access are time stamped during the six hours or so after the computer was seized.’ ‘pages accessed included Hotmail login pages and possible child pornography site. Floppy diskettes were also used.’ ‘There is substantial evidence that is consistent with the Defendant’s computer [ID number] being altered while it was in police custody’. ‘However I am sure that there are so many grave problems with this evidence, and with all the computer evidence submitted by the prosecution, that the Court cannot safely rely on it.’ What went wrong? • Did the police frame the suspect? • Did the examiners commit the sin of booting the system while the machine was in their custody? Tool/Examiner Error • Encase v4 to extract the time bias • The system was set to an ofset of 0x00001e1 (+480 minutes) or Pacific Standard Time (PST) • NetAnalysis to perform the internet browsing analysis – It was not configured with the correct bias • It looked as if the files were opened after the system was in custody. Checklist for Date/Time Evidence • Identify the type of time structure being used to represent local time or UTC • Look for corroboration in the form of additional times, dates and activities on the computer and away from it • Test your results using the same operating systems and application versions that are present on the computer being examined Final Thoughts • Tools being used were easy to access, but highlighted a lack of fundamental knowledge on the part of the examiner • Experimentation and testing are key to strong investigations