Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Mastering Windows Network Forensics and Investigation

advertisement 
Mastering Windows Network
Forensics and Investigation
Chapter 9: Registry Evidence
Evidence in Software Key:
•
•
•
•
HKLM\SOFTWARE
%SystemRoot%\system32\config\software
Installed software
Other locations for installed software
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio
n\App Paths
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall
Evidence in Software Key:
• Last Logon
– HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
• Banners
– HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
Action Center &
Firewall Settings:
• Action Center
– Advises user if firewall off, anti-virus not
installed or out of date, or if updates not
turned on or out of date
– Settings stored in:
• HKLM\SOFTWARE\Microsoft\Security Center
OR
• HKCU\SOFTWARE\Microsoft\
Windows\CurrentVersion\ActionCenter
Windows XP Security Center
Settings:
Value
Data
Description
AntiVirusDisableNotify
0
User will be notified.
1
User will not be notified.
0
User will be notified.
1
User will not be notified.
0
User will be notified.
1
User will not be notified.
FirewallDisableNotify
UpdatesDisableNotify
Windows 7 Action Center
Settings:
Key Name
Function
100
Virus protection
101
Network firewall
102
Spyware and related protection
103
Windows updates
104
Internet security alerts
Registry Key
Prefix
23 00 41 00
01 00 00 00
Description
Notification Disabled
Notification Enabled
Security Center &
Firewall Settings:
• Windows Firewall
– Released with XP Service Pack 2
– Firewall is on by default
– Powerful logging utility, but is off by
default in Windows XP
• Settings stored in registry
– HKLM\SYSTEM\CurrentControlSet\Servic
es\SharedAccess\Parameters\FirewallPoli
cy
Firewall Settings:
• Settings stored in registry
– Subkey “DomainProfile” for domain
– Subkey “StandardProfile” for local
machine
– Subkeys under each of the above:
• “AuthorizedApplications “
• “GloballyOpenPorts”
– Subkey under each of the above:
• “List” – lists settings in plain text
Restore Point
Registry Hive Files:
• Restore points started with XP / ME
• Snapshot of system files taken every
24 hrs or when software installed,
update installed, or when unsigned
driver installed – User can create!
• Stored for up to 90 days if disk space
available
Restore Point
Registry Hive Files:
• Settings stored in registry at:
– HKLM\Software\Microsoft\WindowsNT
\CurrentVersion\SystemRestore
• Restore points stored in
– C:\System Volume
Information\restore{GUID}\RP##
– ## is sequentially numbered restore
points
Restore Point
Registry Hive Files:
• Registry hive files stored under
snapshot folder and are renamed
Hive File Name
Restore Point Hive Filename
SAM
_REGISTRY_MACHINE_SAM
SECURITY
_REGISTRY_MACHINE_SECURITY
SOFTWARE
_REGISTRY_MACHINE_SOFTWARE
SYSTEM
_REGISTRY_MACHINE_SYSTEM
NTUSER.DAT
_REGISTRY_USER_NTUSER_SID
Volume Shadow Copy Service
• Greater number of file types are
tracked in VSC – Entire Volume!
• Every file that changed since the
last snapshot is included in VSC
restore point
• Still located in System Volume
Information folder but with
different name
Volume Shadow Copy Service
• Registry key tracking the
monitored volumes:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SPP
\Clients\{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
• Access VSC by using vssadmin
command and creating symbolic
link
• The conduct analysis as if the
data was it’s own logical volume
Security Identifiers:
• SID is a security identifier
• SID is a unique identifier in that no two
SIDs
• Windows grants or denies access and
privileges to system objects based on
access control lists (ACLs), which in turn
use the SID as a means of identifying
users, groups, and machines, since each
has its own unique SID
Security Identifiers:
• SID’s to User mapping is stored in SAM
for a local logon
• In a domain, SID to User resolution is
stored in Active Directory on Domain
Controller
• Backdoor to resolving SID to User in a
domain setting at key:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList
User Activities:
• NTUSER.DAT contains user specific
settings about installed software
• For pre-IE7, Protected Storage System
Provider contains encrypted values for
MSIE “Autocomplete” and stored user
names and passwords
• For post-IE7 autocomplete information is
stored in IntelliForms
– HKCU\Software\Microsoft\Internet Explorer\IntelliForms\
User Activities:
• MRU’s “most recently used”
– RunMRU
– MRUList
• HKCU\Software\Microsoft\Windows\Curr
entVersion\Explorer\RecentDocs
• HKCU\Software\Microsoft\Internet
Explorer\TypedURLs
User Activities:
• UserAssist key
– HKCU\Software\Microsoft\Windows\Current
Version\Explorer\UserAssist
– Value names under “Count” stored in ROT13
– 2nd dWord value is count starting at 5
(Windows XP, Vista, 2003, 2008) or 1
(Windows 7)
– Last eight bytes 64 bit Windows timestamp
indicating last time user launched
LSA Secrets:
• LSA stands for Local Security
Authority
• SECURITY\Policy\Secrets
• Contains security information regarding
various service accounts and other
accounts necessary for Windows and is
stored by the service control manager
• Tools to extract:
– Lsadump2.exe
– Cain
IP Addresses:
• Stored in registry
• HKLM\SYSTEM\CurrentControlSet\Servi
ces\Tcpip\Parameters\Interfaces
• Subkeys are interfaces and appear with
GUID names
• Static vs Dynamic addresses
Time Zone Offsets:
• NTFS stores timestamps in GMT
• Windows displays time to user
based on local host time zone offset.
• Time zone offset stored in registry
– HKLM\SYSTEM\CurrentControlSet\Control
\TimeZoneInformation
Startup Locations:
• Many locations within Windows where
programs or code runs with Windows
boot, user logon, etc
• Registry alone contains dozens of
locations and methods
• Windows configuration files can also
be used to run code
• List of these locations is extensive
Startup Locations:
• If you know what the bad code is and
its file name it’s easier to search
registry and Windows configuration
files for file name
• When unknown, use tools such as
– EnCase Scan Registry Enscript
– Autoruns by Sysinternals
Where are auditing settings
stored?
• In most cases you won’t be able
to open the LSS applet to
determine auditing level on live
system
• Stored in registry:
HKLM\SECURITY\Policy\PolAdtEv
Related documents
Membership Of The Students` Union
Membership Of The Students` Union
Donor Registry Form
Donor Registry Form
Clinical Registries In Hand Surgery
Clinical Registries In Hand Surgery
8. Land Registry System in Northern Ireland_Patricia Montgomery
8. Land Registry System in Northern Ireland_Patricia Montgomery
preliminary proposal for non-TVT Registry funded research
preliminary proposal for non-TVT Registry funded research
Gown and Hood Rental Form
Gown and Hood Rental Form
FORM 73-NOTICE TO PRINCIPAL REGISTRY OF
FORM 73-NOTICE TO PRINCIPAL REGISTRY OF
Download
advertisement