The document is a comprehensive presentation on registry forensics, detailing the structure and function of the Windows registry, critical registry keys, and tools used in digital forensics. It covers topics such as the physical and logical structures of the hive file, methods to extract information from corrupted or partial registry hives, and the importance of registry keys in forensic investigations. Throughout the presentation, the author emphasizes the legal implications of registry analysis and provides insights into various forensic tools and methodologies.

1. Registry Forensics Boonlia Prince Komal Shri

2. Who Am I My Introduction My Publications System Forensics with Ankit Fadia Papers published on Isolating Virus Signatures Handling digital evidences Malware analysis methodologies My Work (Forensics Specific) Running my own organisation Working for Police Deptt. Insurance companies Digital forensics trainings My Contact info [email_address]

3. Today’s Agenda Some advanced developments in System Forensics Understanding what registry means and what it does How windows registry is built up and what files are used Diving deep into the file structure Understanding few important keys in registry Tools of the Trade

4. Which one is Registry? Layman Normal Computer User System Administrator Ethical Hacker and Pen tester Malware Analyst Forensic Investigator

5. Basic Concepts in Registry System Administrator Terminology

6. Basic Concepts in Registry Forensic Investigator’s Terminology

7. Mapping the Registry file BCD (Boot configuration data replaced Boot configuration {Boot.ini} in Vista and onwards USRCLASS.DAT is merged with NTUSER.DAT when the user logs in to provide complete configuration

8. Mapping the Registry files cont..

9. Lets Torn Apart the Hive file structure (Physical Organization) A Base block (More like a header of the file) 4096 Bytes Bin Block 4096 Bytes or in multiple of it Cells to store keys and values and other structures in multiple of 8 bytes Concept of Bin filling

10. The Base block structure Do we need to see the hive in hex editor ? Observe This Value

11. The hbin structure

12. Lets Torn Apart the Hive file structure (Logical Structure)

13. Lets Torn Apart the Hive file structure (Logical Structure)

14. Compare what you see with the previous slide

15. Key Cell Binary Structure

16. Key Cell Structure

17. Sub Key List Cell Structure lf/lh type key list Ri/li type key list

18. Value Key and Value List Value Key Value List

19. Value Data and Value Data Type Value Data Value Date Type

20. Time to look at the file in hex editor

21. Lets construct the registry manually Go to the base block for basic information and location of the root key Go to the root key location and do the following Get the name and put it Get the location of sub keys and fill it with all subkeys. Got to subkey offsets and cross check for parent key. Get the location of Value cells. Go to those location and from there obtain the following information Vale type info and fill it Value data and fill it Value name and fill it Do the same for all the subkeys Apply Security Descriptor Apply classes

22. So What are we going to do with all these numbers Now we know what all information we can get (Key last write time) Now we can evaluate the tool to be used (Regedit is not worth) Now we can find registry information in corrupt registry (Partial hive file recovered from a formatted drive) Now we can find registry information in Registry slack Now we can find registry information in Page file Now we can find information in memory Now we know how tool works and how effective they are Now we can find information in Unused sectors where once Registry hive or its part was stored Above all……… Now we can answer in the court of law how our findings are not incorrect. (Sir its not the output of a tool … I can explain what exactly it is)

23. What all we can find in registry (Few imp keys) HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU (Windows XP) Shows recently opened files (MRU= Most recently used) Recently opened file with open and save dialogue box . Not applicable for MS office documents HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePiDIMRU (Windows 7) Voila….. It’s lot of information for every extension Provides extension wise list of opened files. Coupled with last write time it’s a great source of information HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU (PiDlMRU in Windows 7) Displays the last used files alongwith the executable associated in which it was opened HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs Displays the recently opened files from Windows Explorer HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Entries of the “Run” dialogue from which command have been executed

24. Lets cross check it

25. Few Imp. Keys Cont.. HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management Shows if Pagefile will be cleared on shutdown or not HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Shows installed programs and drivers alongwith uninstall string (Its in HKCU if program is installed only for the logged in user HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR USB Storage devices connected alongwith the serial numbers of them HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ A list of mounted devices alongwith the Drive letter assigned HKCU\Software\Microsoft\Command Processor Has a value name Autorun (This can contain a command to be run each time Cmd.exe is launched….. A piece of cake for malware ;) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Contains a Value “Shell” defaulting to “explorer” can be modified to append itself by malware

26. Few more imp keys HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Carries options for executables. Make a Value named “Debugger” in an of the executable key and point it to some other executable to launch it HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist The Windows internal keylogger with ROT 13 cipher HKCU\Software\Microsoft\Protected Storage System Provider Passwords and autocomplete for IE, Outlook MSN and other MS services. Not shown by Regedit but shown by other tools Well…………. The list is long …………

27. Time to check few tools Autoruns Regripper Registryslack Regscan RegistryDecoder Volatility Demo

28. Is that all?????? Its just the start……… Q&A My Info [email_address] Twitter: http:// twitter.com/boonlia Facebook: http://www.facebook.com/profile.php?id=1701055902