Registry forensics


Published on

A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches

Published in: Technology
  • Good work Mr Boonlia. Yes my piece of work is an overview of Digital Forensic...Collaboration work on Forensic sound fantastic...Please I would like to know more about it. Feel free to contact me via e-mail:
    Are you sure you want to  Yes  No
    Your message goes here
  • sir are you there?sir please snd me the above steganography ppt.please sir tommarow we have our project review the download option is not available..sir please
    Are you sure you want to  Yes  No
    Your message goes here
  • sir are you there?sir please snd me the above steganography ppt.please sir tommarow we have our project review the download option is not available..sir please
    Are you sure you want to  Yes  No
    Your message goes here
  • Planning a zipcast on this topic. Please mail me at with the subject line 'Registry forensics zipcast' in case anyone is willing to attend.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Absence of evidence is not evidence of absence
  • Registry forensics

    1. 1. Registry Forensics Boonlia Prince Komal Shri
    2. 2. Who Am I <ul><li>My Introduction </li></ul><ul><li>My Publications </li></ul><ul><ul><li>System Forensics with Ankit Fadia </li></ul></ul><ul><ul><li>Papers published on </li></ul></ul><ul><ul><ul><li>Isolating Virus Signatures </li></ul></ul></ul><ul><ul><ul><li>Handling digital evidences </li></ul></ul></ul><ul><ul><ul><li>Malware analysis methodologies </li></ul></ul></ul><ul><li>My Work (Forensics Specific) </li></ul><ul><ul><li>Running my own organisation </li></ul></ul><ul><ul><ul><li>Working for Police Deptt. </li></ul></ul></ul><ul><ul><ul><li>Insurance companies </li></ul></ul></ul><ul><ul><ul><li>Digital forensics trainings </li></ul></ul></ul><ul><li>My Contact info </li></ul><ul><ul><li>[email_address] </li></ul></ul>
    3. 3. Today’s Agenda Some advanced developments in System Forensics <ul><li>Understanding what registry means and what it does </li></ul><ul><li>How windows registry is built up and what files are used </li></ul><ul><li>Diving deep into the file structure </li></ul><ul><li>Understanding few important keys in registry </li></ul><ul><li>Tools of the Trade </li></ul>
    4. 4. Which one is Registry? <ul><li>Layman </li></ul><ul><li>Normal Computer User </li></ul><ul><li>System Administrator </li></ul><ul><li>Ethical Hacker and Pen tester </li></ul><ul><li>Malware Analyst </li></ul><ul><li>Forensic Investigator </li></ul>
    5. 5. Basic Concepts in Registry System Administrator Terminology
    6. 6. Basic Concepts in Registry Forensic Investigator’s Terminology
    7. 7. Mapping the Registry file BCD (Boot configuration data replaced Boot configuration {Boot.ini} in Vista and onwards USRCLASS.DAT is merged with NTUSER.DAT when the user logs in to provide complete configuration
    8. 8. Mapping the Registry files cont..
    9. 9. Lets Torn Apart the Hive file structure (Physical Organization) <ul><li>A Base block (More like a header of the file) 4096 Bytes </li></ul><ul><li>Bin Block 4096 Bytes or in multiple of it </li></ul><ul><li>Cells to store keys and values and other structures in multiple of 8 bytes </li></ul>Concept of Bin filling
    10. 10. The Base block structure Do we need to see the hive in hex editor ? Observe This Value
    11. 11. The hbin structure
    12. 12. Lets Torn Apart the Hive file structure (Logical Structure)
    13. 13. Lets Torn Apart the Hive file structure (Logical Structure)
    14. 14. Compare what you see with the previous slide
    15. 15. Key Cell Binary Structure
    16. 16. Key Cell Structure
    17. 17. Sub Key List Cell Structure lf/lh type key list Ri/li type key list
    18. 18. Value Key and Value List Value Key Value List
    19. 19. Value Data and Value Data Type Value Data Value Date Type
    20. 20. Time to look at the file in hex editor
    21. 21. Lets construct the registry manually <ul><li>Go to the base block for basic information and location of the root key </li></ul><ul><li>Go to the root key location and do the following </li></ul><ul><ul><li>Get the name and put it </li></ul></ul><ul><ul><li>Get the location of sub keys and fill it with all subkeys. Got to subkey offsets and cross check for parent key. </li></ul></ul><ul><ul><li>Get the location of Value cells. Go to those location and from there obtain the following information </li></ul></ul><ul><ul><ul><li>Vale type info and fill it </li></ul></ul></ul><ul><ul><ul><li>Value data and fill it </li></ul></ul></ul><ul><ul><ul><li>Value name and fill it </li></ul></ul></ul><ul><li>Do the same for all the subkeys </li></ul><ul><li>Apply Security Descriptor </li></ul><ul><li>Apply classes </li></ul>
    22. 22. So What are we going to do with all these numbers <ul><li>Now we know what all information we can get </li></ul><ul><ul><li>(Key last write time) </li></ul></ul><ul><li>Now we can evaluate the tool to be used </li></ul><ul><ul><li>(Regedit is not worth) </li></ul></ul><ul><li>Now we can find registry information in corrupt registry </li></ul><ul><ul><li>(Partial hive file recovered from a formatted drive) </li></ul></ul><ul><li>Now we can find registry information in Registry slack </li></ul><ul><li>Now we can find registry information in Page file </li></ul><ul><li>Now we can find information in memory </li></ul><ul><li>Now we know how tool works and how effective they are </li></ul><ul><li>Now we can find information in Unused sectors where once Registry hive or its part was stored </li></ul><ul><li>Above all……… Now we can answer in the court of law how our findings are not incorrect. </li></ul><ul><ul><li>(Sir its not the output of a tool … I can explain what exactly it is) </li></ul></ul>
    23. 23. What all we can find in registry (Few imp keys) <ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSaveMRU (Windows XP) Shows recently opened files (MRU= Most recently used) </li></ul><ul><ul><li>Recently opened file with open and save dialogue box . Not applicable for MS office documents </li></ul></ul><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSavePiDIMRU (Windows 7) Voila….. It’s lot of information for every extension </li></ul><ul><ul><li>Provides extension wise list of opened files. Coupled with last write time it’s a great source of information </li></ul></ul><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedMRU (PiDlMRU in Windows 7) </li></ul><ul><ul><li>Displays the last used files alongwith the executable associated in which it was opened </li></ul></ul><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs </li></ul><ul><ul><li>Displays the recently opened files from Windows Explorer </li></ul></ul><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU </li></ul><ul><ul><li>Entries of the “Run” dialogue from which command have been executed </li></ul></ul>
    24. 24. Lets cross check it
    25. 25. Few Imp. Keys Cont.. <ul><ul><li>HKLMSYSTEMCurrentControlSetControlSessionManagerMemory Management </li></ul></ul><ul><ul><ul><li>Shows if Pagefile will be cleared on shutdown or not </li></ul></ul></ul><ul><li>HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall </li></ul><ul><ul><li>Shows installed programs and drivers alongwith uninstall string (Its in HKCU if program is installed only for the logged in user </li></ul></ul><ul><li>HKLMSYSTEMCurrentControlSetEnumUSBSTOR </li></ul><ul><ul><li>USB Storage devices connected alongwith the serial numbers of them </li></ul></ul><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2CPCVolume </li></ul><ul><ul><li>A list of mounted devices alongwith the Drive letter assigned </li></ul></ul><ul><li>HKCUSoftwareMicrosoftCommand Processor </li></ul><ul><ul><li>Has a value name Autorun (This can contain a command to be run each time Cmd.exe is launched….. A piece of cake for malware ;) </li></ul></ul><ul><li>HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon </li></ul><ul><ul><li>Contains a Value “Shell” defaulting to “explorer” can be modified to append itself by malware </li></ul></ul>
    26. 26. Few more imp keys <ul><li>HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options </li></ul><ul><ul><ul><li>Carries options for executables. Make a Value named “Debugger” in an of the executable key and point it to some other executable to launch it </li></ul></ul></ul><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist </li></ul><ul><ul><li>The Windows internal keylogger with ROT 13 cipher </li></ul></ul><ul><li>HKCUSoftwareMicrosoftProtected Storage System Provider </li></ul><ul><ul><li>Passwords and autocomplete for IE, Outlook MSN and other MS services. Not shown by Regedit but shown by other tools </li></ul></ul><ul><ul><li>Well…………. The list is long ………… </li></ul></ul>
    27. 27. Time to check few tools <ul><li>Autoruns </li></ul><ul><li>Regripper </li></ul><ul><li>Registryslack </li></ul><ul><li>Regscan </li></ul><ul><li>RegistryDecoder </li></ul><ul><li>Volatility Demo </li></ul>
    28. 28. Is that all?????? Its just the start……… Q&A My Info [email_address] Twitter: http:// Facebook: