ebook img

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry PDF

225 Pages·2011·3.61 MB·english
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

Windows Registry Forensics Advanced Digital Forensic Analysis of the Windows Registry This page intentionally left blank Windows Registry Forensics Advanced Digital Forensic Analysis of the Windows Registry Harlan Carvey Dave Hull, Technical Editor AMSTERDAM • BOSTON • HEIDELBERG • LONDON  NEW YORK • OXFORD • PARIS • SAN DIEGO • SAN FRANCISCO SINGAPORE • SYDNEY • TOKYO Syngress is an imprint of Elsevier Acquiring Editor: Angelina Ward Development Editor: Heather Scherer Project Manager: Danielle S. Miller Designer: Kristen Davis Syngress is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA © 2011 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,  including photocopying, recording, or any information storage and retrieval system, without permission in writing  from the publisher. Details on how to seek permission, further information about the Publisher’s permissions p  olicies  and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing  Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the  Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our  understanding, changes in research methods or professional practices, may become necessary. Practitioners and  researchers must always rely on their own experience and knowledge in evaluating and using any information or  methods described herein. In using such information or methods they should be mindful of their own safety and  the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for  any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from  any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Carvey, Harlan A.   Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry / Harlan Carvey.        p. cm.   Includes bibliographical references.   ISBN 978-1-59749-580-6 (pbk.)  1.  Microsoft Windows (Computer file) 2.  Operating systems (Computers) 3.  Computer crimes—Investigation— Methodology. 4.  Computer networks—Security measures. 5.  Computer security. 6.  Component software.  I. Title.    HV8079.C65C373 2011   363.25’62—dc22 2010043198 British Library Cataloguing-in-Publicatio n Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-580-6 Printed in the United States of America 10  11  12  13  14 10  9  8  7  6  5  4  3  2  1 Typeset by: diacriTech, Chennai, India For information on all Syngress publications visit our website at www.syngress.com Dedication To Terri and Kylie; you are my light and my foundation. This page intentionally left blank Contents vii Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii Chapter 1 Registry Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 What Is “Registry Analysis”? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 What Is the Windows Registry? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Registry Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Chapter 2 tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Live Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Chapter 3 Case studies: the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Security and SAM Hives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 System Hive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Software Hive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 BCD Hive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 viii Contents Chapter 4 Case studies: tracking User Activity . . . . . . . . . . . . . . . . . . . . . .159 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Tracking User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 PrefaCe ix Preface I am not an expert. I have never claimed to be an expert at anything  (at least not seriously done so), least of all an expert in forensic  analysis. I am not an expert in Windows Registry analysis. I am  simply, by profession, a responder and analyst with some work  and research experience in this area. I have also performed a  number of analysis engagements, in which information found  as part of Registry analysis has played a rather significant role. In  one such engagement, Registry analysis allowed me to provide  a compelling argument to demonstrate that files known to con- tain credit card data had been neither found nor accessed by an  intruder, thereby reducing the subsequent costs (with respect to  notification and fines) to the customer. I have assisted with pro- viding information to demonstrate that certain user accounts  had been used to access certain files. More importantly, I have  worked through the process of sharing what I have seen with oth- ers, by writing this book and sharing what I’ve observed from a  practitioner’s perspective. I am not an expert. When I sat down to write this book, I did so because even in  the year 2010, I am amazed at the number of analysts with whom  I speak that have no apparent idea of the forensic value of the  Windows Registry. Sometimes, when I talk to someone about  demonstrating that a user account was used to view files, I get a  blank stare. Or after talking about tracking USB devices across  systems and no one asks any questions, I get approached by a  dozen of the folks from the presentation, between the podium  and my exit. It seems that, in many instances, the “abandon  hope, all ye who enter here” warning that Microsoft displays on  its knowledge base articles regarding the Registry really do a good  job . . . of keeping the good guys out, as well as from “digging”  or investigating. Sadly, there’s nothing in that admonition that  states, “oh, yeah . . . the bad guys are all up in yer Registry!” As  a result, many analysts are consistently behind the power curve,  learning from the bad guys the new uses for the Registry (per- sistence, data and executable storage, and so on), often months  after they have been established and used. Windows systems make use of a number of different file types  that provide a great deal of value to incident responders and  forensic analysts alike, and the Registry is only one of them. Quite  a few file types include embedded time stamps that can be used  to add significant detail to time lines and may include other valu- able information. I chose to focus on the Registry because of the  shear wealth of information available, if you know where to look  and you’re willing to do so. To make it easier for me to do this,

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.