Windows Registry Forensics
eBook - ePub

Windows Registry Forensics

Advanced Digital Forensic Analysis of the Windows Registry

Harlan Carvey

Buch teilen
  1. 216 Seiten
  2. English
  3. ePUB (handyfreundlich)
  4. Über iOS und Android verfĂŒgbar
eBook - ePub

Windows Registry Forensics

Advanced Digital Forensic Analysis of the Windows Registry

Harlan Carvey

Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben

Über dieses Buch

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry, Second Edition, provides the most in-depth guide to forensic investigations involving Windows Registry. This book is one-of-a-kind, giving the background of the Registry to help users develop an understanding of the structure of registry hive files, as well as information stored within keys and values that can have a significant impact on forensic investigations. Tools and techniques for post mortem analysis are discussed at length to take users beyond the current use of viewers and into real analysis of data contained in the Registry. This second edition continues a ground-up approach to understanding so that the treasure trove of the Registry can be mined on a regular and continuing basis.

  • Named a Best Digital Forensics Book by InfoSec Reviews
  • Packed with real-world examples using freely available open source tools
  • Provides a deep explanation and understanding of the Windows Registry—perhaps the least understood and employed source of information within Windows systems
  • Includes a companion website that contains the code and author-created tools discussed in the book
  • Features updated, current tools and techniques
  • Contains completely updated content throughout, with all new coverage of the latest versions of Windows

HĂ€ufig gestellte Fragen

Wie kann ich mein Abo kĂŒndigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kĂŒndigen“ – ganz einfach. Nachdem du gekĂŒndigt hast, bleibt deine Mitgliedschaft fĂŒr den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich BĂŒcher herunterladen?
Derzeit stehen all unsere auf MobilgerĂ€te reagierenden ePub-BĂŒcher zum Download ĂŒber die App zur VerfĂŒgung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die ĂŒbrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den AboplÀnen?
Mit beiden AboplÀnen erhÀltst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst fĂŒr LehrbĂŒcher, bei dem du fĂŒr weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhĂ€ltst. Mit ĂŒber 1 Million BĂŒchern zu ĂŒber 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
UnterstĂŒtzt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nÀchsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Windows Registry Forensics als Online-PDF/ePub verfĂŒgbar?
Ja, du hast Zugang zu Windows Registry Forensics von Harlan Carvey im PDF- und/oder ePub-Format sowie zu anderen beliebten BĂŒchern aus Informatica & Tecnologia dell'informazione. Aus unserem Katalog stehen dir ĂŒber 1 Million BĂŒcher zur VerfĂŒgung.

Information

Verlag
Syngress
Jahr
2016
ISBN
9780128033357
Auflage
2
Thema
Informatica
Thema
Tecnologia dell'informazione
1

Registry Analysis

Abstract

This chapter provides an overview of what Registry analysis should consist of and provides an initial foundation for understanding the binary and logical structure of the Windows Registry.

Keywords

Analysis; Keys; Locard; Registry; Structure; Values
Information in this chapter
‱ Core Analysis Concepts
‱ What is the Window Registry?
‱ Registry Structure

Introduction

The Windows Registry is a core component of the Windows operating systems, and yet when it comes to digital analysis of Windows systems, is perhaps the least understood component of a Windows system. This may be due to how little information seems to have been written on the subject; however, if you spend just a little time looking around, you’ll find that there has actually been quite a bit of information regarding the Windows Registry documented. This apparent disparity may be due to the fact that most of the commercial forensic analysis applications do little more than open the Windows Registry in a viewer-type application and do not provide for the application of previously developed (from the analyst’s most recent case, or provided by other analysts) intelligence to the available data. Whatever the reason, my purpose for writing this book is to illustrate the vital importance of the Windows Registry to digital forensic analysis. This is not to say that the Windows Registry is the only aspect of the system that requires attention; nothing could be further from the truth. However, the Windows Registry can provide a great deal of valuable information and context to a digital examination, and as such, there is a particular value in addressing this topic in a book such as this one.
The Windows Registry maintains a great deal of configuration information about the system, maintaining settings for various functionality within the system (ie, may be enabled or disabled). In addition, the Registry maintains historical information about user activity; in order to provide the user with a “better” overall experience, details about applications installed and accessed, as well as window positions and sizes, are maintained in a manner similar to a log file. All of this information can be extremely valuable to a forensic examiner, particularly when attempting to establish a timeline of system and/or user activity. A wide range of cases would benefit greatly from information derived from the Registry, if the analyst were aware of the information and how to best exploit it for the purposes of their examination.
What’s in the Registry?
The first thing to keep in mind when conducting Registry analysis is that not everything can be found there. Believe it or not, one particular question that I still see asked is, “Where are file copies recorded in the Registry?” Windows systems do not record file copy operations, and if such things were recorded, I’d think that some other resource (Windows Event Log, maybe) would be far more suitable.
Not everything is recorded in the Registry, but the Windows Registry is still an incredibly valuable forensic resource.
Information in the Registry can have a much greater effect on an examination than I think most analysts really realize. There are many Registry values that can have a significant impact on how the various components of the system behave; for example, there is a Registry value that tells the operating system to stop updating file last access times, so that whenever a file is opened (albeit nothing changed) for viewing or searching, the time stamp is not updated accordingly. And oh, yeah
this is enabled by default beginning with Windows Vista and is still enabled by default on Windows 7 and Windows 8 systems. Given this, how do examiners then determine when a file was accessed? Well, there are other resources, both within the Registry and without (Jump Lists, for example) that can provide this information, particularly depending upon the type of file accessed and the application used to access the file.
A few examples of Registry values that can impact an examination include (but are not limited to) the following:
‱ Alter file system tunneling (specifics of file system tunneling can be found online at http://support.microsoft.com/kb/172190) behavior, or the updating of last accessed times on files and folders
‱ Have files that the user deletes automatically bypass the Recycle Bin
‱ Modify system crash dump, Prefetcher, and System Restore Point behavior
‱ Clear the pagefile when the system is shut down
‱ Enable or disable Event Log auditing
‱ Enable or disable the Windows firewall
‱ Redirect the Internet Explorer web browser to a particular start page or proxy
‱ Automatically launch applications with little to no input from the user beyond booting the system and logging in
All of these Registry settings can significantly impact the direction of an investigation. In a number of instances, I have found valuable data in the pagefile (such as responses from web server queries) that would not have been there had the pagefile been cleared on shut down. When examining a Windows system that was part of a legal hold (an order was given to not delete any data), it can be very important to determine if the user may have cleared the Recycle Bin, or if the system was set to have deleted files automatically bypass the Recycle Bin. The use of application prefetching, which is enabled by default on workstation versions of Windows (but not server versions, such as Windows 2008 R2), can provide valuable clues during intrusion and malware discovery cases.
These are just a few examples; there are a number of other Registry keys and values that can have a significant impact (possibly even detrimental) on what an analyst sees during disk and file system analysis. Some of these values do not actually exist within the Registry by default and have to be added (usually in accordance with a Microsoft (MS) Knowledge Base (KB) article) in order to affect the system. At the very least, understanding these settings and how they affect the overall system can add context to what the analyst observes in other areas of their examination.
Registry Values and System Behavior
The Windows Registry contains a number of values that significantly impact system behavior. For example, an analyst may receive an image for analysis and determine that the Prefetch directory contains no Prefetch (∗.pf) files. Registry values of interest in such a case would include those that identify the operating system and version; by default, Windows XP, Vista, and Windows 7 will perform application prefetching (and generate ∗.pf files); however, Windows 2003 does not perform application prefetching (although it can be configured to do so) by default. The Prefetcher itself can also be disabled, per MS KB article 307498 (found online at http://support.microsoft.com/kb/307498). This same value can be used to enable or disable application prefetching.
The purposes of this book are to draw back the veil of mystery that has been laid over the Registry, and to illustrate just how valuable a forensic resource, the Registry, can really be during malware, intrusion, or data breach examinations, to name just a few. The Windows Registry contains a great deal of information that can provide significant context to a wide range of investigations. Not only that, but there are also a number of keys and values, as we’ll discuss later in this book, in which information persists beyond that deletion or removal of applications and files. That’s right
if a user accesses a file or installs and runs an application, the indications of these actions (and others) will remain long after the file or application has been removed and is no longer available. This is due to the fact that much of the “tracking” that occurs on Windows systems is a function of the operating system, of the environment, or ecosystem in which the application or user functions. As such, much of this activity occurs without the express knowledge of the user or application
it just happens. Understanding this, as well as understanding its limitations, can open up new vistas (no pun intended) of data to an analyst.

Core Analysis Concepts

Before we begin discussing the Windows Registry analysis specifically, there are several core analysis concepts that need to be addressed as they are pertinent to examinations as a whole. Keeping these concepts in mind can be extremely beneficial when performing digital analysis in general.

Locard’s Exchange Principle

Dr. Edmund Locard was a French scientist who formulated the basic forensic principle that every contact leaves a trace. This means that in the physical world, when two objects come into contact, some material is transferred from one to the other, and vice versa. We can see this demonstrated all around us, every day
let’s say you get a little too close to a concrete stanchion while trying to parallel park your car. As the car scrapes along the stanchion, paint from the car body is left on the stanchion and concrete, and paint from the stanchion becomes embedded in the scrapes on the car.
Interestingly enough, the same holds true in the digital world. When malware infects a system, there is usually some means by which it arrives on the system, such as a browser “drive-by” infection, via a network share, USB thumb drive, or an e-mail attachment. When an intruder accesses a system, there is some artifact such as a network connection or activity on the target system and the target system will contain some information about the system from which the intruder originated. Some of this information may be extremely volatile, meaning that it only remains visible to the operating system (and hence, an analyst) for a short period of time. However, remnants of that artifact may persist for a considerable amount of time.
Everything Leaves a Trace
Any interaction with a Windows system, particularly through the Windows Explorer graphical interface, will leave a trace. These indications are not always in the Registry, and...

Inhaltsverzeichnis