Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Mastering Windows Network Forensics and Investigation

Mastering Windows Network
Forensics and Investigation
Chapter 9: Registry Evidence
Chapter Topics:
•
•
•
•
•
Evidence in Software Key
Security Center & Firewall Settings
Restore Point Registry Hive Files
Security Identifiers
User Activities
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
2
Chapter Topics:
•
•
•
•
•
LSA Secrets
IP Addresses
Time Zone Offsets
Startup Locations
Auditing Settings (Bonus material
not in text!)
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
3
Evidence in Software Key:
•
•
•
•
HKLM\SOFTWARE
%SystemRoot%\system32\config\software
Installed software
Other locations for installed software
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio
n\App Paths
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
4
Evidence in Software Key:
• Last Logon
– HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
• Banners
– HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
5
Security Center &
Firewall Settings:
• Security Center
– Advises user if firewall off, anti-virus not
installed or out of date, or if updates not
turned on or out of date
– Settings stored in
HKLM\SOFTWARE\Microsoft\Security
Center
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
6
Security Center Settings:
Value
Data
Description
AntiVirusDisableNotify
0
User will be notified.
1
User will not be notified.
0
User will be notified.
1
User will not be notified.
0
User will be notified.
1
User will not be notified.
FirewallDisableNotify
UpdatesDisableNotify
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
7
Security Center &
Firewall Settings:
• Windows Firewall
– Released with XP Service Pack 2
– Firewall is on by default
– Powerful logging utility, but is off by
default
• Settings stored in registry
– HKLM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
8
Firewall Settings:
• Settings stored in registry
– Subkey “DomainProfile” for domain
– Subkey “StandardProfile” for local
machine
– Subkeys under each of the above:
• “AuthorizedApplications “
• “GloballyOpenPorts”
– Subkey under each of the above:
• “List” – lists settings in plain text
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
9
Restore Point
Registry Hive Files:
• Restore points started with XP / ME
• Snapshot of system files taken every
24 hrs or when software installed,
update installed, or when unsigned
driver installed – User can create!
• Stored for up to 90 days if disk space
available
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
10
Restore Point
Registry Hive Files:
• Settings stored in registry at:
– HKLM\Software\Microsoft\WindowsNT
\CurrentVersion\SystemRestore
• Restore points stored in
– C:\System Volume
Information\restore{GUID}\RP##
– ## is sequentially numbered restore
points
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
11
Restore Point
Registry Hive Files:
• Registry hive files stored under
snapshot folder and are renamed
Hive File Name
Restore Point Hive Filename
SAM
_REGISTRY_MACHINE_SAM
SECURITY
_REGISTRY_MACHINE_SECURITY
SOFTWARE
_REGISTRY_MACHINE_SOFTWARE
SYSTEM
_REGISTRY_MACHINE_SYSTEM
NTUSER.DAT
_REGISTRY_USER_NTUSER_SID
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
12
Security Identifiers:
• SID is a security identifier
• SID is a unique identifier in that no two
SIDs
• Windows grants or denies access and
privileges to system objects based on
access control lists (ACLs), which in turn
use the SID asa means of identifying
users, groups, and machines, since each
has its own unique SID
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
13
Security Identifiers:
• SID’s to User mapping is stored in SAM
for a local logon
• In a domain, SID to User resolution is
stored in Active Directory on Domain
Controller
• Backdoor to resolving SID to User in a
domain setting at key:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
14
User Activities:
• NTUSER.DAT contains user specific
settings about installed software
• Protected Storage System Provider
contains encrypted values for MSIE
“Autocomplete” and stored user names
and passwords
• MRU’s “most recently used”
– RunMRU
– MRUList
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
15
User Activities:
• HKCU\Software\Microsoft\Windows\Curr
entVersion\Explorer\RecentDocs
• HKCU\Software\Google\NavClient\1.1\Hi
story
• HKCU\Software\Yahoo\Companion\Sear
chHistory
• HKCU\Software\Microsoft\Internet
Explorer\TypedURLs
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
16
User Activities:
• UserAssist key
– HKCU\Software\Microsoft\Windows\Current
Version\Explorer\UserAssist\{75048700EF1F-11D0-9888-006097DEACF9}\Count
– Value names stored in ROT13
– 16 byte data string
– 2nd dWord value is count starting at 5, with
first value being hex 06
– Last eight bytes 64 bit Windows timestamp
indicating last time user launched
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
17
LSA Secrets:
• LSA stands for Local Security
Authority
• SECURITY\Policy\Secrets
• Contains security information regarding
various service accounts and other
accounts necessary for Windows and is
stored by the service control manager
• Tools to extract:
– Lsadump2.exe
– Cain
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
18
IP Addresses:
• Stored in registry
• HKLM\SYSTEM\CurrentControlSet\Servi
ces\Tcpip\Parameters\Interfaces
• Subkeys are interfaces and appear with
GUID names
• Static vs DHCP addresses
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
19
Time Zone Offsets:
• NTFS stores timestamps in GMT
(UT)
• Windows displays to user based on
local host time zone offset.
• Time zone offset stored in registry
– HKLM\SYSTEM\CurrentControlSet\Control
\TimeZoneInformation
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
20
Startup Locations:
• Many locations within Windows where
programs or code runs with Windows
boot, user logon, etc
• Registry alone contains dozens of
locations and methods
• Windows configuration files can also
be used to run code
• List of these locations is extensive
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
21
Startup Locations:
• Often you’ll know what the bad code
is and its file name – when this is
known easier to search registry and
Windows configuration files for file
name
• When unknown, use tools such as
– EnCase EnScript Case Processor>Scan
Registry >AutoStart
– Autoruns by Sysinternals
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
22
Where are auditing settings
stored?
• In most cases you won’t be able
to open the LSS applet to
determine auditing level on live
system
• Stored in registry hive file
“security”
• Key: SECURITY\Policy\PolAdtEv
SECURITY\Policy\PolAdtEv
SECURITY\Policy\PolAdtEv
Byte
Value
00
Audit Setting
No Auditing
Byte
Offset
Description
00
00 No Auditing / 01 Auditing
04
System Events Audit Setting
08
Logon Events Audit Setting
12
Object Access Audit Setting
16
Privilege Use Audit Setting
01
Audit Successes
02
Audit Failures
20
Process Tracking Audit Setting
03
Audit Success &
Failures
24
Policy Change Audit Setting
28
Account Management Audit
Setting
32
Directory Service Access Audit
Setting
36
Account Logon Audit Setting
Related documents
Probability Theory
Probability Theory
Wiley - 高雄第一科技大學圖書資訊館
Wiley - 高雄第一科技大學圖書資訊館
Taipei-Wego-International-Program-Composition-Class
Taipei-Wego-International-Program-Composition-Class
Click here to add title
Click here to add title
Membership Of The Students` Union
Membership Of The Students` Union
Download