I FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY Submitted by: Priyank Dixit 9911103511 Under the guidance of Ms. Anuradha Gupta June – 2015 Submitted in partial fulfillment of the Degree of Bachelor of Technology In Computer Science Engineering DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING JAYPEE INSTITUTE OF INFORMATION TECHNOLOGY, NOIDA
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
I
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
Submitted by: Priyank Dixit 9911103511
Under the guidance of
Ms. Anuradha Gupta
June – 2015
Submitted in partial fulfillment of the Degree of
Bachelor of Technology
In
Computer Science Engineering
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING
JAYPEE INSTITUTE OF INFORMATION TECHNOLOGY, NOIDA
II
(I)
TABLE OF CONTENTS
Chapter No. Topics Page No.
Student Declaration II
Certificate from the Supervisor III
Acknowledgement IV
Summary (Not more than 250 words) V
Chapter-1 Introduction 1.1 General Introduction
1.2 List some relevant current/open problems.
1.3 Problem Statement
1.4 Overview of proposed solution approach and Novelty/benefits
Chapter-2 Background Study 2.1 Literature Survey
2.1.1 Summary of papers
2.1.2 Integrated summary of the literature studied
2.2 Details of Empirical Study (Field Survey, Existing Tool Survey,
Experimental Study)
Chapter 3: Analysis, Design and Modeling 3.1 Requirements Specifications
3.2 Design Documentation
3.2.1 Control Flow Diagrams
3.2.2 Sequence Diagram/Activity diagrams
Chapter-4 Implementation and Testing
4.1 Implementation details and issues
Chapter-5 Testing
5.1 Testing Plan
5.2 Limitations of the solution
Chapter-6 Findings & Conclusion 6.1 Findings
6.2 Conclusion
6.3 Future Work
References ACM Format (Listed alphabetically)
III
DECLARATION
I hereby declare that this submission is my own work and that, to the best of my knowledge and
belief, it contains no material previously published or written by another person nor material which
has been accepted for the award of any other degree or diploma of the university or other institute of
higher learning, except where due acknowledgment has been made in the text.
Place: Noida Name: Priyank Dixit
Date:02-06-2015 Enroll. No: 9911103511
Sign:
IV
CERTIFICATE
This is to certify that the work titled “Finding Forensic Artifacts From Windows Registry”
submitted by “Priyank Dixit” in partial fulfillment for the award of degree of B.Tech of Jaypee
Institute of Information Technology University, Noida has been carried out under my supervision.
This work has not been submitted partially or wholly to any other University or Institute for the
award of this or any other degree or diploma.
Signature of Supervisor ……………………..
Name of Supervisor Ms Anuradha Gupta
Designation Assistant Professor
Date 02-06-15
V
ACKNOWLEDGEMENT
I have taken efforts in this project. However, it would not have been possible without the kind
support and help of many individuals and the institute. I would like to extend my sincere thanks to
all of them.
I am highly indebted to Ms Anuradha Gupta for their guidance and constant supervision as well
as for providing necessary information regarding the project & also for their support in completing
the project.
I would like to express my gratitude towards my parents & faculty members of the institute for their
kind co-operation and encouragement which helped me in completion of this project.
My thanks and appreciations also go to my colleagues in developing the project and people who
have willingly helped me out with their abilities.
Signature of the Student:
Name of Student: Priyank dixit
Enrollment Number: 9911103511
Date: 02-06-2015
VI
SUMMARY
My research work is „Finding Forensic Artifacts From Window Registry‟. For the
accomplishment of my task, I studied various research paper thoroughly & did implementation of
various aspects of them, I physically visited all the registry hives & their respective registry keys.
Further we can see registry key contains registry values .Making changes to these values & keys
using Registry Editor will change the configuration that a particular value controls. Registry Editor
is the face of the registry & is the way to view & make changes to the registry .Technically, the
registry is the collective name for various database files located within the Windows installation
directory. The Windows Registry is accessed & configured using the Registry Editor program, a
free registry editing utility included with every version of Microsoft Windows .Basically, I work on
finding the artifacts(something observed in scientific investigation or experiment i.e. not naturally
present but occurs as a result of the investigative procedure) from the registry .I work on finding
artifacts of USB ,unauthorized access ,also see which files or video has been downloaded from my
system ,also extract information about the current user, machine‟s name ,Home Path ,user‟s E-mail
address etc. I also extract information about MRU (most recent user ) to the system ,also see the
Last Write Time of the particular USB ,& when it was installed for the first time into my system.
Actually registry contains ample amount of information ,which can be used for Digital Forensic
Investigation .
Signature of Student Signature of Supervisor
Name: Priyank Dixit Name: Ms. Anuradha Gupta
Date 02-06-15 Date 02-06-15
VII
INTRODUCTION
1.1 General Introduction
The Windows Registry is a hierarchical database that stores configuration settings and options on
Microsoft Windows operating systems. It contains settings for low-level operating system
components and for applications running on the platform that have opted to use the registry. The
kernel, device drivers, services, SAM, user interface and third party applications can all make use of
the registry. The registry also provides a means to access counters for profiling system performance.
It is a database in windows that contains important information about system hardware, installed
programs & settings,& profiles of each of the user accounts on your computer. We should not make
any manual changes to the Registry because programs & applications typically make all the
necessary changes automatically.
STRUCTURE:
The registry contains two basic elements: keys and values. Registry keys are container objects
similar to folders. Registry values are non-container objects similar to files. Keys may contain
values or further keys. Keys are referenced with a syntax similar to Windows' path names, using
backslashes to indicate levels of hierarchy. Keys must have a case insensitive name without
backslashes.
There are seven predefined root keys, traditionally named according to their constant handles
defined in the Win32 API, or by synonymous abbreviations (depending on applications):
HKEY_LOCAL_MACHINE or HKLM
HKEY_CURRENT_CONFIG or HKCC (only in Windows 9x and NT)
HKEY_CLASSES_ROOT or HKCR
HKEY_CURRENT_USER or HKCU
HKEY_USERS or HKU
HKEY_PERFORMANCE_DATA (only in Windows NT, but invisible in the Windows
Registry Editor)
HKEY_DYN_DATA (only in Windows 9x, and visible in the Windows Registry Editor)
VIII
1.2 List some relevant current/open problems.
Major concerning problem is that whenever any storage devices are attached to USB port on the
system running Windows XP,in built drivers collect information from the device & then use that
information to create a profile of identifiers(artefacts).These identifiers end up in different locations
on the system & tend to be persistent after shutdown ,means these identifiers can give intruder a
lot of crucial information. USB ports as well as other ports that permits one to attach a removable
storage device can act as a promising means to steal a classified information & problem of
footprints left on the system & Registry when USB device is connected.Further studies reveal that if
we are not giving functional access of USB device in Kernel,then it can be easily bypassed by
malicious programs.Moreover,Registry contains ample amount of information & it has some
hotspot areas which can be used by forensic analyst or can be used by intruders to do something
unusual !!!!!!!!! These all scenarios are complete enough to explain how crucial is the study of USB
in today‟s cyber world crime .
.
1.3 Problem statement
When any storage devices are attached to USB ,port on the system running Windows XP, in built
drivers collect information from the device and then use that information to create a profile of
identifiers(artefacts). These identifiers end up in different location on the system & tend to be
persistent after shutdown also .Moreover if we are not giving functional access of USB device in
Kernel ,then it can be easily bypassed by malicious program .We also have problems regarding
various hot spots in Registry ,which can be the path way to Intrusions. Finally we have some Hot
spot areas ,which are very crucial regarding forensic analysis viz Timezone information ,Last Time
system was shut down etc.
1.4 Overview of proposed solution approach and Novelty/benefits
Prior research in this field only show that USB is an ample source of a lot of forensic information
,but by analyzing these papers I came to know about the concept of Vendor Code, Product Code &
Revision code ,these 3 altogether constitutes Device Instance ID ,which is unique to every user .I
plan to analyze USB with their perspective ,I physically access different location in Registry which
are crucial regarding USB .Prior research merely talks on USB installation & where it is being
installed ,but here I analyses not only installation location but also location of Device instance ID
,also know the concept of Vendor id ,Product Id in detail .Prior research also lacks about the
IX
concept of driver models regarding USB ,I also come to know about the concept of filter drivers &
know how functional access of USB can be done in Kernel ,which is very safer mode ,I come to
know about the timezone information, Last shut down time information which were lacking in prior
researches.
2. Background Study
2.1 Literature Survey
I studied various research papers thoroughly, visited various sites to get knowledge of registry,
studied about remote access technology, studied 2-3 books for getting good knowledge of the
research. Moreover I heard various videos regarding Registry. Read various research papers,
research related journals, explore different information from Internet & use them to find artifacts.
2.1.1 Summary of relevant papers with following details
Paper 1:Tracing USB device artefacts on Windows XP Operating System for forensic
purpose
Authors:
Victor Chileshe Cho
Year of publication
2007
Publishing details where this paper was published
Edith Cowan University
Summary
Windows system several identifiers are created when a USB device is plugged into a Universal
Serial Bus. Some of these artefacts or identifiers are unique to the device & consistent across
different Windows platform .Another key factor that makes these identifiers forensically important
is the fact that they are traceable even after the system has been shut down.This paper basically
deals with different artefacts of USB. Moreover, it also tells that Vendor Code, Product Code &
Revision Code altogether constitutes Device Instance ID. Paper also states that Registry store
information that ensures proper USB devices drivers are loaded ,services required by applications
are made available and also states about Windows Log files .
X
Paper 2: Research & application of USB filter driver based on Windows Kernel
Authors:
Shaobo Li
Xiaohui Jia
Shulin Lv
Year of publication:
2012
Publishing details where this paper was published
Guizhon University,Guiyang,China
Summary
This paper introduces the WDM driver model ,deeply analyzes the communication principle of
USB device & the IRP packet interception technology based on USB filter driver. This paper states
the fact that if the function of access control for USB storage device is done in the Kernel ,then it
can‟t be easily bypassed by the malicious program.The safety & reliability of USB filter driver
based on Windows Kernel is much higher .As soon as USB storage device is inserted on the
computer ,the system will enumerate a USB ,PDO & then a driver program called USBSTOR will
be loaded on the top of the PDO as FDO .USBSTORR will also create a physical device above
which a disk driver will be mounted & then the partition drive will be mounted it on again
Web link: http://googlescholar.com
Paper 3:Initial Case Analysis using Windows Registry in Computer Forensics
(xvii) Finding information about the Real VNC (virtual network computing) & about vnc
mirror ,we can follow particular path in registry. We can also find information of
image path here.
HKLM\SYSTEM\Current Control Set\Services\vncmirror.
Here ,the most important information which I saw ,as upon the uninstallation of VNC from my
system ,this path is not showing me the image path ,where as all other services in the particular path
is showing it .This is a clear indication of that someone physically accessed my system & uninstall
Real VNC .
(xviii) Finding information about the installation of VNC software ,we can follow
particular path in registry .
HKLM\SOFTWARE\RealVNC
XXVI
6.1.2 Conclusions
The majority of recovered artifacts were discovered in RAM, slack/free space, and FTK [Orphan]
directories. That being said, there was still enough information to provide useful information about
the user(s). Another commonality between the browsers is information contained within the System
Volume Information. For example, one study made the statement that it would be impossible to
trace residual information, other than USB identifiers, if a portable storage device was not
accessible to the investigator. Our research clearly shows that further data can still be recovered on
host machines without the portable storage device being present. Overall, our research is a valuable
resource pertaining to private and portable web browsing artifacts. Forensic investigations play a
significant role in today's working & legal environment, and thus it should be carefully considered.
The evidence provided in the registry is the most significant source of any investigation .The
actions performed on the computer gives the examiner an insight of the system. Thus, a careful
analysis of the Windows system Registry from a forensic point of view is the need of the hour & a
hot area of research in the present scenario. Study gathered and verified the existing knowledge
about the registry hive files .Study also revealed the importance of registry analysis by
demonstrating how it can help an investigator to progress in a case of tracking data transfer from a
system to a USB external device. Main aim to trace the registry artifacts left by the attacker on
Windows Registry .Further Study exhibits the importance of registry analysis by demonstrating the
computer artifacts left by VNC activities .Here, we expect this work could contribute in
understanding the characteristic of VNC & Windows 7 OS as a part of digital forensic investigation
. In further studies , a method of extracting windows registry information from physical memory
has been proposed, which is proved to be effective in extracting hive files from windows dumps
imaged from Window XP, Windows Vista and Windows 7.How to make use of the registry data in
memory is also given.Finally, we can say Windows registry is a database that has been
implemented in the Microsoft Windows OS to hold the settings & configurations of the system
hardware application & user profiles. It is generally accepted that the Windows Registry holds
several potentially significant elements of information that may be valuable to forensic investigators
. Unique identifications should be noted to be persistent across identified platforms .The findings
raises some interesting issues ,for e.g.,an administrator can determine information of good known
authorized devices that have been attached to the system,from this information an administrator can
determine if any unauthorized USB based storage device has been installed on the respective
machine. Study also reveal that driver layer model can meet the requirements of majority
enterprises units for the security control of USB devices .Furthermore ,the key functions of
monitoring USB storage devices are all implemented in the driver layer .It is located in the Kernel
level,so it can control the USB storage devices preferentially .In final words we can say analyst
XXVII
must train himself to have a knowledge of the Windows system & the windows registry for proving
the authenticity of his all activities .
.
6.1.3 Future Works:-
Future work may include further RAM experiments, and more efficient methods to extract
information over an extended period of time instead of one controlled browsing session. Through
the detailed analysis of the registry hive files, activities of a system user can be traced. Hence
registry analysis should be carried as an integral part of digital forensic investigation process. We
can extend future work on comparison of registry & log files Moreover, more detailed information
can be extracted from windows registry as forensic evidence, which need to be done in future.
Moreover, we can work on crucial areas where a lot of information resides. We can work on USB &
how to track data theft from them. In future we can also emphasise more on remote access
technology & how to get more & more information about the attacker and to trace particular
artifacts of physically accessing the machine from the registry.Studies can also be set in the
directions like why in-built drivers get failed ,when particular USB was installed .Study of different
identifiers their end up locations ,tracing particular identifiers which remain active even after the
system has been shut down .Studying the communication principal of USB devices through the
study of WDM driver model ,study of USB filter drivers ,studying the Kernel with respect to USB
Window registry can be viewed as a Gold Mine of forensic investigation which could be used in
courts .In final words we can say that correlating our artefacts(findings) with timezone information
is a need of hour & a proper correlation between the two can put many intruders behind bars !!!!!!
References :-
1.Carvey, H., The Windows registry as a forensic resource, DigitalInvestigation, vol. 2(3), pp. 201–205, Elsevier 2005. 2. Chang, K., Kim, G., Kim, K. and Kim, W., Initial Case AnalysisUsing Windows Registry in Computer Forensics, Future GenerationCommunication and Networking, Volume 1, 6-8 Dec. 2007Page(s):564 –569. [Online] DOI: 10.1109/FGCN.2007.151 3. Dashora, K., Tomar, D. S. and Rana, J. L., A Practical Approach forEvidence Gathering in Windows Environment, International Journalof Computer Applications, Volume 5(10), August 2010. 4. Farmer, D. J., A Forensic Analysis of Windows Registry, Availableonline from
http://forensicfocus.com/downloads/windows-registryquick-reference.pdf, 2007. 5. Farmer, D. J., A Windows Registry Quick Reference: for the Everyday Examiner, Available online fromhttp://eptuners.com/forensics/contents/A_Forensic_Examination_of_the_Windows_Registry.pdf, 2009. 6. Kim, Y. and Hong, D., Windows Registry and Hiding Suspects’Secret in Registry, In the Proceedings of the 2008 International.
7. www.wikipedia.com 8. Harlan. C, “The Windows Registry as a forensic resource”. Digital Investigation, Vol 2, pp. 201-205, 2005. 9. Timothy D.Morgan, “Recovering Deleted Data From the Windows Registry”. Digital Investigation, pp.33-41, 2008. 10. Dolan-Gavitt.B, “Forensic Analysis of the Windows Registry in Memory”. Digital Investigation. 5(Supplement 1), pp.26-32, 2008. 11.Winhelponline. (2007). Determining the "Last Write Time" of a registry key?