Document created by Yakov Goldberg
Our website: http://www.ubersec.com
Follow Us in Twitter: http://twitter.com/#!/ubersec
Windows Registry Forensics
Most of Windows Operating Systems (OS) contain a database called the Windows registry. The Windows registry consists of Windows data files that contain imperative information about the Windows Operating System (OS), software applications that are installed in Windows, hardware information and various system components. The registry is designed with folders called keys and values that contain specific information about the keys which they represent. By browsing through the keys and reading the values, users can find information about applications that have been installed in the system, files that were used recently and applications and services that are running throughout the Windows start-up process. The information in this article will present some interesting locations within the Windows registry. That information can be viewed by all users and help them to learn and understand the registry and also realize what is getting logged by Windows inside the registry. Likewise, the information in this article can help users to perform some simple forensics analysis of their Windows registry for learning purposes or for troubleshooting purposes as needed.
THE REGISTRY HIVES
To load the Windows registry editor, type the following:
click on the START button ► the click on RUN ►and then type regedt32
And now you should see the following,
As you can see, the registry shows five different registry hives. Keep in mind however, that Windows Vista and Windows 7 also include an additional registry hive files besides those that are loaded by the registry editor.
- HKEY_CLASSESS_ROOT (HKCR): this hive contains configuration information that specifies which applications are used to open each file format within the system.
- HKEY_CURRENT_USER (HKCU): this hive contains information about the current user that is currently logged on to the system and information about the current user profile of that user as well.
The HKCU folder is actually corresponding to the NTUSER.dat file located in the following location in your hard-drive,
For Windows XP users,
C:\Documents and Settings\username\NTUSER.dat
For Windows Vista and 7 users,
Note that there are some open-source tools on the Internet that can allow you to view the information within the NTUSER.dat file without having to logon as each user and then access that registry hive. However, if you are a professional forensics analyst, login in to an OS that is used as evidence in criminal investigation under the criminal’s Windows profile only to collect artifacts from the registry pertain to the crime is NOT a GOOD idea because you will contaminate the timelines stored within the NTUSER.dat file (or HKCU) and the evidence will not be admissible in court. The information within that NTUSER.dat must only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task. In addition, you may choose to download a demo of AccesData Registry viewer and/or purchase that application for helping you to collect information from other users’ NTUSER.dat files without having to worry about contaminating the integrity of the evidence.
- HKEY_LOCAL_MACHINE (HKLM): this hive by far contains a lot of information regarding the OS configuration state and the hardware and software settings as well.
Upon expanding the HKLM tree, you should see the following sub-folders,
These folders are actually corresponds to data files that are located in the following location in your hard-drive,
Note that there are some open-source tools on the Internet that can let you to view the information within each file without having to use the registry. However, since these files are protected by the OS once the OS is loaded to the system, the information within each file can only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task.
- HKEY_USERS (HKU): this hive contains information about the settings that apply to all the users that logged on into the system. In addition, it contains the default profile configuration for new user profiles.
- HKEY_CURRENT_CONFIG (HKCC): this hive contains information about the hardware profile the OS uses throughout the start-up process.
Before attempting to view the registry or change any values in any of the hives, it is a good idea to back-up the registry to your local drive. Often people change values and key within the registry and that result their OS to crash and Windows to fail booting and so on. To back-up the registry to a file you can use the export option located in the File tab within the registry editor. Once you click on export, save the file to your local C: drive root folder. If after changes to the registry you have realized that you need to restore the registry to a state prior of the changes that you have made, you can always import that file back to your registry.
First let’s start with key and values that exist in the HKEY_LOCAL_MACHINE (HKLM) location.
Listing applications that are lunched throughout OS boot process:
The following location specifies all the services that are loaded to the Windows OS system.
Alternatively, to see all services NOT using the registry type the followings,
click on the START button ► the click on RUN ►and then type services.msc
Then you should see the following,
Under the Services key, you should see more sub-folders corresponding to each service that is loaded to the Windows system. Upon clicking on the desired key, you should see the values pertaining to the key on the right pane of your registry screen. One of these values is the start value. Look below,
If that start value is set to 0x02 it means that the particular service starts once the Windows OS is booting up.
In the following location you can find the computer’s name,
In the following location you will find the OS Product-ID, Product-Name, System Root, etc.
In the following location you can find the time and date in which the OS was last shut down,
After clicking on the Windows key, you should see the value ShutdownTime on the right pane. However, you cannot read this information unless you know how to convert a REG_BINARY key to readable value. Yet, you can download the script LastShutDown.bvs script below and run it on the system.
In the following location you can find information about all the printer drivers that are currently exist in the system. Forensics analysts can find information such as a model value that indicate the printer name and driver that was installed and the installdate value which represents the date which the printer drive was installed,
In the following location you can find out whether the TimeStamp feature for NFS is disabled or enabled. The TimeStamp feature is a timelog that tells the user when a folder was last accessed.
And now look for the value NtfsDisableLastAccessUpdate. If the value is set to 0 then this feature is disabled. However, you can choose to set the value to 1 and then the feature will be enabled.
0 = NTFS updates the last-accessed timestamp of a file whenever that file is opened.
1 = NTFS does not update the last-access timestamp of a file when that file is opened.
The results should look like the following,