CSN11121/CSN11122 System Administration and Forensics Windows Registry & Timeline [email protected].

CSN11121/CSN11122System Administration and Forensics

Windows Registry & Timeline

[email protected]

Lecture Objectives

1. Windows Registry– Structure– Properties– Examples

2. Timeline Analysis– Time Zones– Case Study

The Registry

Road to Central Depository

• DOS– config.sys & autoexec.bat

• Windows 3.0– INI file

• Windows 3.1– Start of the idea of a central repository

• Windows 95 and beyond– Establishment and expansion of the registry

Understanding the Windows Registry

• Registry– A database that stores hardware and software

configuration information, network connections, user preferences, and setup information

• For investigative purposes, the Registry can contain valuable evidence

• To view the Registry, you can use:– Regedit (Registry Editor) program for Windows 9x

systems– Regedt32 for Windows 2000 and XP

Organisation and Terminology

• At the physical level– Files called hives– Located in: %SYSTEMROOT%\System32\config

• Keys (analogous to folders)• Values (analogous to files)• Hierarchy:– Hives

• Keys– Values

Hives

Key

Value

Hive Properties

• HKEY_USERS – all loaded user data• HKEY_CURRENT_USER – currently logged on user

(NTUSER.DAT)• HKEY_LOCAL_MACHINE – array of software and

hardware settings• HKEY_CURRENT_CONFIG – hardware and

software settings at startup• HKEY_CLASSES_ROOT – contains information

about application needs to be used to open files

Registry File Locations and Purposes

Windows 7 Root Keys

Registry: A Wealth of Information

Information that can be recovered include:– System Configuration– Devices on the System– User Names– Personal Settings and Browser Preferences– Web Browsing Activity– Files Opened– Programs Executed– Passwords

Forensic Analysis - Hardware

Forensic Analysis – User ID• SID (security identifier)– Well-known SIDs

• SID: S-1-0 Name: Null Authority • SID: S-1-5-2 Name: Network

– S-1-5-21-2553256115-2633344321-4076599324-1006• S string is SID• 1 revision number• 5 authority level (from 0 to 5)• 21-2553256115-2633344321-4076599324 - domain or local

computer identifier• 1006 RID – Relative identifier

• Local SAM resolves SID for locally authenticated users (not domain users)– Use recycle bin to check for owners

Forensic Analysis - Software

Windows Security and Relative ID

• The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group.

• The Security ID (SID) is used to identify the computer system.

• The Relative ID (RID) is used to identity the specific user on the computer system.

• The SID appears as:– S-1-5-21-927890586-3685698554-67682326-1005

Forensics Analysis - NTUSER.DAT

• Internet Explorer– IE auto logon and password– IE search terms– IE settings– Typed URLs–Auto-complete passwords

Forensics Analysis - NTUSER.DATIE explorer Typed URLs

Forensic Analysis – MRU ListA “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys.These lists are maintained in case the user returns to them in the future. Essentially, their function is similar to how the history and cookies act in a web browser.

Forensic Analysis – Last Opened Application in Windows

Forensic Analysis – USB Devices

Registry ForensicsCase Study

(Chad Steel: Windows Forensics, Wiley)Department manager alleges that individual copied

confidential information on DVD.No DVD burner was issued or found.Laptop was analyzed.Found USB device entry in registry:

PLEXTOR DVDR PX-708AFound software key for Nero - Burning ROM in registryTherefore, looked for and found Nero compilation files (.nrc).

Found other compilation files, including ISO image files.Image files contained DVD-format and AVI format versions of

copyrighted movies.Conclusion: No evidence that company information was

burned to disk. However, laptop was used to burn copyrighted material and employee had lied.

Monitoring the Registry

• The registry is highly complex, and there is not one single point of reference

• Experimentation allows you as an investigator to find out for yourself what has occurred

• Real time experimentation helps with post-mortem analysis

• Regmon (Replaced by Procmon) from Microsoft– Monitors the registry in real time

RegRipperThe RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista and 7) family of operating systems.

Date and Time

System Time

• Determined by booting into the BIOS and comparing it with an external source– Radio Signal Clock or Time Server

• CMOS Clock– Complementary Metal Oxide Semiconductor Chip

(CMOS)– Accessed by most OS to determine the time

Operating System Time

• Is embedded within the file system or high level file metadata

• Will take into account local time (or not!)• Can confuse an investigation depending on

tool configuration and time zone• Will ask for the time from the BIOS CMOS

Program Time

• Programs will ask for the time from the OS• They can bypass the OS and ask for the time

directly from the BIOS• It’s important to check and understand where

a program gets its time details from.

OS Time – DOS

• MS DOS time/date Format (FAT File System)• Stored as local time• Used for MAC information• 32 Bit Structure– Seconds (5 bits from offset 0)– Minutes (6 bits from offset 5)– Hours (5 bits from offset 11)– Days (5 bits from offset 16)– Months (4 bits from offset 21)– Years (7 bits from offset 25)

64 Bit Windows FILETIME

• 64 bit number measuring the number of 100ns intervals since 00:00:00, 1st Jan, 1601– 58,000 year lifetime

• Stored in the MFT – MAC

C/Unix Time

• 32-bit value• Number of seconds elapsed since epoch– 1st January 1970, 00:00:00 GMT

• Limit– Monday, December 2nd, 2030 and 19:42:58 GMT

Local and UTC time translation

• Coordinated Universal Time (UTC)– Effectively the same as GMT

• Modern OS calculate the difference between local time and UTC and store the time/date as UTC

Local Time vs UTC

• 00 DB A2 F7 5C B1 C5 01 (Localtime)– 127703177299680000

• 00 7B B4 7E 7E B1 C5 01 (GMT)– 127703321299680000

• Difference:– 144,000,000,000

• Verify:– 3,600 s in 1 hour. 14,400 in 4 hours. – 100 ns = 10 millionth of a s

• 14,400 * 10,000,000

– = 4 hours

Time and the Registry

• ME/XP/Vista/Windows 7– HKEY_Local_Machine/System/Current

ControlSet/Control/TimeZoneInformation/Bias• ActiveTimeBias– Amount of time (+ or -) to add to UTC– StandardName - Time Zone

GMT

No adjustment requiredNo adjustment required

GMT – Daylight Saving

Ahead of GMT – therefore a negative value

EST

Case Study – Time and Tools

C. Boyd, P. Forster, “Time and date issues in forensic computing – a case study”, Digital Investigation, no. 1, pp. 18– 23, 2004

Scenario

• Email trace identifies an individual suspected of involvement in communication of child abuse images

• Warrant obtained, and Computer equipment seized

• Relatively simple examination:– Email traces– Identification of child abuse images

Scenario

• During examination, the suspect failed to provide an explanation for images

• The defence employed an expert to comment on the evidence– Supplied with the forensic images of computer – Police Forensic Statement

Expert Report‘The defendants computer [ID number] was used to access the Internet after it was seized and was in police custody. Approximately 750 records of Internet access are time stamped during the six hours or so after the computer was seized.’

‘pages accessed included Hotmail login pages and possible child pornography site. Floppy diskettes were also used.’

‘There is substantial evidence that is consistentwith the Defendant’s computer [IDnumber] being altered while it was in policecustody’.

‘However I am sure that there are so manygrave problems with this evidence, and withall the computer evidence submitted by theprosecution, that the Court cannot safely relyon it.’

What went wrong?

• Did the police frame the suspect?• Did the examiners commit the sin of booting

the system while the machine was in their custody?

Tool/Examiner Error

• Encase v4 to extract the time bias• The system was set to an ofset of 0x00001e1

(+480 minutes) or Pacific Standard Time (PST)• NetAnalysis to perform the internet browsing

analysis– It was not configured with the correct bias

• It looked as if the files were opened after the system was in custody.

Checklist for Date/Time Evidence

• Identify the type of time structure being used to represent local time or UTC

• Look for corroboration in the form of additional times, dates and activities on the computer and away from it

• Test your results using the same operating systems and application versions that are present on the computer being examined

Final Thoughts

• Tools being used were easy to access, but highlighted a lack of fundamental knowledge on the part of the examiner

• Experimentation and testing are key to strong investigations