We reached the fourth step of Windows forensics process, needless to mention the importance of the previous phases:
1- Gathering Volatile Information: link
2- Collecting Non-volatile Information: link
3- Memory Analysis: link
The Windows registry is an organized database with low-level settings for Microsoft Windows OS and applications that use it. Analyzing the data in the registry can assist forensic investigators in gathering information on software installation, hardware driver configuration, user activity, and connected devices. This information is useful for creating a timeline analysis of an incident during a forensic investigation.
The first step is to get informed about the Windows registry. It can take forever to understand it fully as it is a complex subject, but you don’t need to be an expert in registry to get the information you’re looking for.
Windows Registry is composed of 5 hives that contain everything:
Registry Editor
Contains information about all currently active users (SID) profiles. keys and values under each SID control the user specific mapped drives, installed printers, environmental variables, and so on.
Contains software configuration information and information about the physical state of the computer. It’s data is stored in
“%SystemRoot%\Users\<UserName>”\NTUSER.DAT
Subkey of HKLM\Software. Contains the information that ensure that the correct program opens when the user opens a file through Windows Explorer.
Contains the configuration information related to the user currently logged-on (wallpaper, display settings)
Stores information about the current hardware profile of the system. explains the differences between the current and standard hardware configuration. A pointer to
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current
· Non-volatile Hives are: HKEY_LOCAL_MACHINE, HKEY_USERS
· Volatile Hives: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG
Identify which hives are relevant to your investigation
The Windows registry is a valuable resource for digital forensic investigations as it allows investigators to extract various types of forensic artifacts, including user accounts, recently accessed files, USB activity, last run programs, and installed applications.
There are two methods of analyzing Windows Registry:
Check the registry files inside C:\Windows\System32\config folder stored on the captured evidence file
C:\Windows\System32\config
1- DEFAULT: includes default user settings
2- SAM (Security Account Manager): includes local user account and local group membership information like passwords.
3- SECURITY: stores information on the current user security policy
4- SOFTWARE: holds information about installed applications and their configuration on the system
5- SYSTEM: holds configuration settings of hardware drivers and services
after gathering needed files use tools like Hex Workshop to retrieve artifacts related to cyber-crimes (SSH installed the day of the attack !!)
we can also export registry to a text file
The registry can be considered as a log file as it has some action or event associated with a time like Last Write Time which provides a timeframe reference for certain user activities on the system.
Investigators can access the registry using the built-in registry editor, as well as capture registry files from a live system using tools such as FTK Imager for further analysis.
Open FTK Imager > Add Evidence Item > Logical Drive > Next
browse to C:\Windows\System32\config > choose the registry file you want to investigate.
-
Computer Name
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName -
ProductName, CurrentBuildNumber, RegisteredOwner, etc.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- Last Shutdown Time
HKLM\SYSTEM\ControlSet001\Control\Windows - Timezone Settings
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Use DCode to convert found data to human-readable format.
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
By default, Windows Vista, 7, 8.1, and 10 create hidden administrative shares on a system. If a user creates an additional share, it’llappear here.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}
This key will give you information about any accessed wireless networks: their names, first time of connection, last time of connection, etc.
[HKCU|HKLM]\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Search for any unusual programs that appears in the auto startup list.
in the case of live analysis you can use: Task Manager > Startup apps,
you can use Autoruns or Slient Runners to enumerate autostart locations (use VirusTotal to analyze files and URLs for viruses, worms, trojans and other kinds of malicious content).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
When a user logs into a system, these keys are accessed and parsed so that the startup apps can be executed, so it gives an idea about when the user logged-in. they’re not accessed if the system is started in Safe Mode.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
a unique identification number (acts as a token) that Microsoft assigns to a Windows user account for granting user access to a specific resource.
HKLM\SOFTWARE\Classes\exefile\shell\open\command
HKCR\exefile\shell\open\command
Autostart registry locations are accessed when the user performs any action like opening an application, so search them for malicious code.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Windows sends alerts when certain events occurs (logged-on/off), based on Last Write times check entries close to the date of the suspected incident.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
these are also commonly abused Winlogon registry keys and value for persistence like Notify,
check (in the previous 3 keys) for entries that list DLLs in the DLLName value that have suspicious file version information or no file version information at all.
After a USB device is plugged into a Windows system, the PnP (Plug and Play) manager searches for the required driver to recognize the device, and evidence of its use, such as artifacts or footprints, can be found in the registry.
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses
export these two keys to text files and use both unique instance identifier (GUID) and the ParentIdPrefix to determine the last time when the USB device was connected to the system. You can also use USBDeview to view the contents of the device descriptor.
When a device is mounted on an NTFS system, it’s assigned a driver letter
HKLM\System\MountedDevices
When a user access a file, control panel applets, and programs:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
values are encoded in ROT-13 encryption algorithm (Caesar cipher), use rot13 to decode it.
registry keys that track user activities can be found in the NTUSER.DAT file.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
The RunMRU key is added when a user execute a program from Start > Run.
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
contains the typed URLs into the address bar of Internet Explorer (Edge)
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
when the system connects to a remote drive or share using Map Network Drive Wizard, an MRU List is added.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
contains the remote drives added using either Map Network Drive Wizard or the net use command.