Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Mastering Windows Network Forensics and Investigation

Mastering Windows Network
Forensics and Investigation
Chapter 8: The Registry Structure
Chapter Topics:
•
•
•
•
Registry History
Registry Structure & Terms
Registry Research
Viewing Registry with Forensic
Tools
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
2
Registry History
• Massive database of system and
program configuration settings
• Legacy Windows (Windows 3.0)
had config.sys, autoexe.bat, and
several “ini” files
• Text files lacked hierarchical
structure and couldn’t easily store
binary data
March 22, 2016
Registry History
• Windows 3.1 had first rudiments of
registry
• Windows 95 / NT expanded it more
along the lines of what we see
today.
• Each subsequent release has
resulted in increase in size and
complexity of registry
March 22, 2016
Registry Structure & Terminology
• At physical level, registry stored
in hive files
• User rarely interfaces directly
with registry
• Regedit is current interface tool
(regedt32 legacy) – no known
shortcut - Run > regedit
March 22, 2016
Regedit Interface
Key Pane
March 22, 2016
Value Pane
Five Root Keys
March 22, 2016
HKEY_CLASSES_ROOT
• Used to associate file types with programs
that open them and also used to register
classes for Component Object Model (COM)
objects. It is the largest of the root keys in
terms of the registry space it occupies. This
key is derived from a linked merger of two
keys, which are HKLM\Software\Classes
and HKCU\Software\Classes. This merger
effectively blends default settings with per
user settings.
March 22, 2016
HKEY_CURRENT_USER
• Used to configure the
environment for the console
user. It is a per-user setting
(specific only to this user) and is
a derived from a link to
HKU\SID, where the SID is the
user’s security identifier.
March 22, 2016
HKEY_CURRENT_CONFIG
• Used to establish the current hardware configuration
profile. This key is derived from a link to
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\Current. Current is derived from a link to
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\####, where #### is a number that
increments starting at “0000”.
HKLM\SYSTEM\CurrentControlSet, in turn, is a link
to HKLM\SYSTEM\ControlSet###, where ### is a
number that increments starting at 000. The value
located in HKLM\SYSTEM\Select\Current determines
which control set is current and therefore which
ControlSet is to be used to create this key via a link.
March 22, 2016
HKEY_LOCAL_MACHINE
• Used to establish the per-computer
settings. Settings found in this key apply to
the machine and all of its users, covering all
facets of the computer’s function. This key
is a master key and is not, therefore,
derived from any link as are the previous
three keys. During system startup, the local
machine settings are loaded before the
user specific settings.
March 22, 2016
HKEY_USERS
• Used to contain the user environment settings for the
console user as well as other users who have logged
onto the system. There will be at least three subkeys,
which are “.DEFAULT,” “SID,” and “SID_Classes,”
where the “SID” is that of the console user. You may
also find SID’s “S-1-5-18,” “S-1-5-19,” and “S-1-5-20,”
which are for the “LocalSystem,” “LocalService,” and
“NetworkService” accounts, respectively. Any other
SID’s found here will below to other users who have
logged on to the machine. This key is a master key
and is not, therefore, derived from any link as are the
first three keys (the ones that are unbolded).
March 22, 2016
Derived vs Master
• Only HKEY_LOCAL_MACHINE
(HKLM) & HKEY_USERS (HKU)
are Master Keys
• The remaining root keys are
derived from other keys
• At a physical level, each of the
logical master keys has its
source data in files called hives
March 22, 2016
HKLM Subkeys
Hardware is dynamic and exist only
on a live machine!
March 22, 2016
HKLM Keys > Hive Files
HIVE KEY
HIVE FILE
HKLM\SAM
%SYSTEMROOT%\System32\config\SAM
HKLM\SECURITY
%SYSTEMROOT%\System32\config\SECURITY
HKLM\SOFTWARE
%SYSTEMROOT%\System32\config\software
HKLM\SYSTEM
%SYSTEMROOT%\System32\config\system
March 22, 2016
The Evidence Vault
March 22, 2016
HKU Keys > Hive Files
HIVE KEY
HIVE FILE
HKU\.DEFAULT
%SYSTEMROOT%\System32\config\default
HKU\S-1-5-19
Documents and Settings\LocalService ntuser.dat
HKU\S-1-5-19_Classes
Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
HKU\S-1-5-20
Documents and Settings\NetworkService ntuser.dat
HKU\S-1-5-20_Classes
Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
HKU\SID
Documents and Settings\UserName\ntuser.dat
HKU\SID_Classes
Documents and Settings\UserName\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
March 22, 2016
HKLM\SYSTEM\CurrentControlSet\Control\hivelist
March 22, 2016
Determining Current Control Set
March 22, 2016
Registry Value Data Types
DATA TYPE
NUMBER
DESCRIPTION
REG_NONE
0
Data type is not defined
REG_SZ
1
REG_EXPAND_SZ
2
Fixed length text string expressed in user-friendly format,
which is often used to describe components
Variable or expandable length data string
REG_BINARY
3
Binary data that is displayed in editor as hex
REG_DWORD
4
32-bit double word values and the most common data
type found in the registry
32-bit double word values with bytes in reverse order. As
Intel already store data in this format, this term is
synonymous with REG_DWORD and they have the same
numeric value
32-bit double word value with bytes in normal order with
the highest bit appearing first
An internal-use only data type for Unicode symbolic link
REG_DWORD_LITTLE_ENDIAN 4
REG_DWORD_BIG_ENDIAN
5
REG_LINK
6
REG_MULTI_SZ
7
REG_RESOURCE_LIST
8
March 22, 2016
Multiple string field in which each string is separated by a
null (00h) and with two nulls (00 00) marking the end of
the list of strings
Listing of resource lists for devices or device drivers
(REG_FULL_RESOURCE_DESCRIPTOR). You can
view, but not edit these lists.
Search in Regedit
March 22, 2016
Registry Analysis Tools
• Regmon (Microsoft)
• User Assist Analyzer
(http://didierstevens.wordpress.c
om/)
• Access Data’s Registry Viewer
• Access Data’s Imager
• EnCase (View File Structure)
March 22, 2016
Viewing Registry with Forensic Tools
• Forensic Tools
–
–
–
–
Access Data – Registry Viewer
EnCase – View File Structure
ProDiscover
Others
• Off-line registry differs from live
registry
• Mount / Open Hive Files
• Don’t expect to see derived or
dynamic keys
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
23
Related documents
Application Form - The University of Hong Kong
Application Form - The University of Hong Kong
Taipei-Wego-International-Program-Composition-Class
Taipei-Wego-International-Program-Composition-Class
Click here to add title
Click here to add title
Membership Of The Students` Union
Membership Of The Students` Union
Math 160A - Winter 2016 - Homework #4
Math 160A - Winter 2016 - Homework #4
Seminar Special Topics course Environmental Data Analysis W2016
Seminar Special Topics course Environmental Data Analysis W2016
Abstract Template
Abstract Template
Download