This document provides an overview of Registry Forensics and the Registry Decoder tool. It discusses how the Windows registry can be used to find evidence of data exfiltration, malware infections, and anti-forensics activities. It demonstrates how Registry Decoder allows automated acquisition, analysis and reporting of registry contents. Examples are given of specific registry keys and values that may indicate these types of activities.

1. Session ID:
Session Classification:
Dr. Vico Marziale
504ENSICS Labs
HTA-F42
Advanced
AdvancedTechniquesFor Registry
Forensics: A Study OfThree Scenarios

2. ► Brief overview registry of background
►
► Use RD to find evidence of
► Data exfiltration
► Malware infection
► Anti-forensics tool use
Agenda
2

3. ► Forensics and incident response goldmine
► Logs a wealth of user and system activity
► Timestamps
► Using Windows backup features (System Restore & VSS), we
can recover historical data going back months or longer
(how?)
► Cool: more evidence
► PITA: how do we process/manage it
► How do you currently use these?
Why is the registry interesting?
3

4. ► Removable device activity
► Including serial number and model name
► See stuxnet
► Typed Internet Explorer URLs
► Recently accessed files (per-file-type)
► Networking information
► Per device, used network shares, and more
► Entered search terms (Windows 7)
►
4

5. ► Autoruns
► Timezone info
► Application launch counts
► Mounted devices
► Services
► System install info
► Folder listings
► Routing info
► Firewall rules
►
5

6. ► Open source Python project
► Initially funded by the National Institute of Justice (NIJ)
► Its goal is to automate the acquisition, analysis, and
reporting of registry contents
► Contains two components:
► A live registry hive acquisition tool
► Pulls hives from live machines
► Both current and backups
► Standalone (no installation) executable
► An offline analysis tool
► Discussed next
Registry Decoder
6

7. ► Performs offline analysis of registry files
► Facilitates comprehensive registry analysis of any number of
files within one graphical interface
► Most features are usable on the command line as well (for scripting,
testing, etc., all will be in next release)
► Supports multiple input types
► Uses a pre-processing phase to make analysis afterwards
much faster
Registry Decoder
7

8. ► Case management
► Hive Browsing
► Advanced Search
► Plugin System
► Path-Based Analysis
► Differencing
► Timelining
► Reporting
Analysis Features
8

9. ► Simple, but useful
► Case name, number
► Investigator
► Comments
► Case directory
► Provides persistence
► Data is only pre-processed once
► Close and re-open case at will
Case Management
9

10. 10

11. ► Similar to other browsing tools (AccessData, regedit, etc)
► Displays key / value pairs and last write time of chosen key
► Hex view of value data
► Tabbed view allows multiple browse windows open
simultaneously
► Can type path and immediately jump there
Hive Browsing
11

12. 12

13. ► Good tools for intelligent searching across registry hives?
► RD allows users to quickly search for a single term or a
collection of terms (from a file) across any selected hives in a
case
► Multiple types of search parameters:
► Exact or partial matching
► Wildcard matching (*, ?)
► Key name or value name or data
► Start and end date using last write time of keys
Advanced Search
13

14. 14

15. ► The plugin system allows for targeted analysis of specific
data within the registry
► Mostly robbed from regripper
► Useful for fixed analysis that must be done repeatedly
► Listing MRU documents
► All plugins are in Python, and have access to all Python built-
ins
► We provide an API designed to make plugin development as
painless as possible
► Many plugins are less than 10 lines of Python and require
very little programming ability
Plugins
15

16. 16

17. ► Hives can be timelined based on the last write time of keys
► Included keys can be filtered by starting and / or ending
time
► Output can be tab-separated (importable in Excel) or in
Sleuth Kit mactime format
► Multiple input registry files can be processed into the same
output timeline
Timelineing
17

18. So, What Can We
Do With It?
18

19. ► Is there any evidence of USB devices being used?
►
► Is there any evidence of attempts to bypass network web
filtering?
► Are there any evidence of file upload services in use?
Data Exfiltration
19

20. 20

21. 21

22. ► There are several places malware like to hide in the registry,
some old, some new.
► Yes, the very old techniques are still in use because they
still work
► There is no comprehensive list, and I am far from the
foremost expert on such things, but following are a few I find
interesting
► RD Plugins exist for some the interested can view the
plugin source for registry locations
► Those so inclined are also invited to write some new plugins
(more info later)
Malware Analysis / Detection
22

23. ► Run* lists (of which there are many)
► HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRu
n
► HKLMSoftwareMicrosoftWindowsCurrentVersionRun
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
► HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRu
n
► HKCUSoftwareMicrosoftWindowsCurrentVersionRun
► HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
► HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices
►
Where is the malware?
23

24. ► Browser Helper Objects
► HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrow
ser Helper Objects
► Manipulation of persistent routes
► HKLMSYSTEMCurrentControlSetServicesTcpipParametersPersist
entRoutes
► Running as services
► HKLMSYSTEMCurrentControlSetServices
► ServiceDLL
mechanism
► HKLMSYSTEMCurrentControlSetServices<service>ParamatersSe
rviceDLL
Where is the malware?
24

25. ► Infected file sharing applications
► Limewire
► Infected antivirus solutions
►
► Application Initialization DLLs
► MicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs
► MUICache, Userassist
► Browser toolbars
► Firewall rules
► Etc.
Where is the malware?
25

26. ► Discover what types of malware are installed?
► Browser-based?
► Rootkits?
► Rogue services?
► Malware in plain sight?
► Are there things in the registry which indicate
malware, even though you may not be able to link it
to a specific executable?
► So, I infected this XP box (story)
So, How Do
26

27. 27

28. 28

29. 29

30. 30

31. 31

32. 32

33. ► Some people do not like to get caught and so take
measures to hide things
► This sometimes just gives the investigator more
crumbs to collect
► Crypto
► Truecrypt, Bitlocker
► Timestamp mucking
► Timestomp
►
► Web proxy services
Scenario 3: Anti-Forensics
33

34. ► NukeOnDelete
► HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionExplorerBitBucket
► NtfsDisableLastAccessUpdate
► HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCont
rolFileSystem
► ClearPageFileAtShutdown
► HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCont
rolSession ManagerMemory Management
More Anti-Forensics
34

35. ► Evidence of encrypted storage?
► Evidence of attempts to bypass network web filtering?
► File upload services in use?
► Common anti-forensics software installed/in use?
► Other anti-forensics techniques?
► Assume that the system has been timestomped and so
filesystem timelines are made useless. What information
on recent activity can be had from registry timelines?
How DoWe
35

36. 36

37. 37

38. 38

39. 39

40. 40

41. ► Registry forensics is a powerful tool
► Particularly good for triage in some cases
► Stores a wide range of interesting information
► Registry Decoder provides a unified, open source system for
registry analysis and research
► Saves considerable time and effort
► Extensible via plugin system
► Useful for things you might not have thought to use it for
before
► Data exfiltration
► Malware detection / analysis
► Anti-anti-forensics
Conclusion
41

42. ► Contact:
► vico@504ENSICS.com
► www.504ensics.com
► @vicomarziale
► Download RD:
► http://code.google.com/p/registrydecoder/
► Come to BSides NOLA!
Questions / Comments?
42