Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation

Chapter 9: Registry Evidence

Evidence in Software Key:

• HKLM\SOFTWARE

• %SystemRoot%\system32\config\software

• Installed software

• Other locations for installed software– HKLM\SOFTWARE\Microsoft\Windows\

CurrentVersion\App Paths– HKLM\SOFTWARE\Microsoft\Windows\

CurrentVersion\Uninstall

Evidence in Software Key:

• Last Logon– HKLM\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Winlogon

• Banners– HKLM\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Winlogon

Action Center & Firewall Settings:

• Action Center– Advises user if firewall off, anti-virus not installed

or out of date, or if updates not turned on or out of date

– Settings stored in: • HKLM\SOFTWARE\Microsoft\Security Center

OR

• HKCU\SOFTWARE\Microsoft\

Windows\CurrentVersion\ActionCenter

Windows XP Security Center Settings:

Value Data Description

AntiVirusDisableNotify 0 User will be notified.

1 User will not be notified.

FirewallDisableNotify 0 User will be notified.

1 User will not be notified.

UpdatesDisableNotify 0 User will be notified.

1 User will not be notified.

Windows 7 Action Center Settings:

Key Name Function

100 Virus protection

101 Network firewall

102 Spyware and related protection

103 Windows updates

104 Internet security alerts

Registry Key Prefix

Description

23 00 41 00 Notification Disabled01 00 00 00 Notification Enabled

Security Center & Firewall Settings:

• Windows Firewall– Released with XP Service Pack 2– Firewall is on by default– Powerful logging utility, but is off by

default in Windows XP

• Settings stored in registry– HKLM\SYSTEM\CurrentControlSet\

Services\SharedAccess\Parameters\FirewallPolicy

Firewall Settings:

• Settings stored in registry– Subkey “DomainProfile” for domain

– Subkey “StandardProfile” for local machine

– Subkeys under each of the above:• “AuthorizedApplications “

• “GloballyOpenPorts”

– Subkey under each of the above:• “List” – lists settings in plain text

Restore Point Registry Hive Files:

• Restore points started with XP / ME

• Snapshot of system files taken every 24 hrs or when software installed, update installed, or when unsigned driver installed – User can create!

• Stored for up to 90 days if disk space available

Restore Point Registry Hive Files:

• Settings stored in registry at:– HKLM\Software\Microsoft\WindowsNT\

CurrentVersion\SystemRestore

• Restore points stored in – C:\System Volume Information\

restore{GUID}\RP##– ## is sequentially numbered restore

points

Restore Point Registry Hive Files:

• Registry hive files stored under snapshot folder and are renamed

Hive File Name Restore Point Hive Filename

SAM _REGISTRY_MACHINE_SAM

SECURITY _REGISTRY_MACHINE_SECURITY

SOFTWARE _REGISTRY_MACHINE_SOFTWARE

SYSTEM _REGISTRY_MACHINE_SYSTEM

NTUSER.DAT _REGISTRY_USER_NTUSER_SID

Volume Shadow Copy Service

• Greater number of file types are tracked in VSC – Entire Volume!

• Every file that changed since the last snapshot is included in VSC restore point

• Still located in System Volume Information folder but with different name

Volume Shadow Copy Service

• Registry key tracking the monitored volumes: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SPP\Clients\{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}

• Access VSC by using vssadmin command and creating symbolic link

• The conduct analysis as if the data was it’s own logical volume

Security Identifiers:

• SID is a security identifier• SID is a unique identifier in that no two

SIDs• Windows grants or denies access and

privileges to system objects based on access control lists (ACLs), which in turn use the SID as a means of identifying users, groups, and machines, since each has its own unique SID

Security Identifiers:

• SID’s to User mapping is stored in SAM for a local logon

• In a domain, SID to User resolution is stored in Active Directory on Domain Controller

• Backdoor to resolving SID to User in a domain setting at key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

User Activities:

• NTUSER.DAT contains user specific settings about installed software

• For pre-IE7, Protected Storage System Provider contains encrypted values for MSIE “Autocomplete” and stored user names and passwords

• For post-IE7 autocomplete information is stored in IntelliForms– HKCU\Software\Microsoft\Internet Explorer\IntelliForms\

User Activities:

• MRU’s “most recently used” – RunMRU

– MRUList

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

• HKCU\Software\Microsoft\Internet Explorer\TypedURLs

User Activities:

• UserAssist key– HKCU\Software\Microsoft\Windows\

CurrentVersion\Explorer\UserAssist– Value names under “Count” stored in ROT13– 2nd dWord value is count starting at 5

(Windows XP, Vista, 2003, 2008) or 1 (Windows 7)

– Last eight bytes 64 bit Windows timestamp indicating last time user launched

LSA Secrets:

• LSA stands for Local Security Authority

• SECURITY\Policy\Secrets• Contains security information regarding

various service accounts and other accounts necessary for Windows and is stored by the service control manager

• Tools to extract:– Lsadump2.exe

– Cain

IP Addresses:

• Stored in registry• HKLM\SYSTEM\CurrentControlSet\

Services\Tcpip\Parameters\Interfaces• Subkeys are interfaces and appear with

GUID names

• Static vs Dynamic addresses

Time Zone Offsets:

• NTFS stores timestamps in GMT

• Windows displays time to user based on local host time zone offset.

• Time zone offset stored in registry– HKLM\SYSTEM\CurrentControlSet\

Control\TimeZoneInformation

Startup Locations:

• Many locations within Windows where programs or code runs with Windows boot, user logon, etc

• Registry alone contains dozens of locations and methods

• Windows configuration files can also be used to run code

• List of these locations is extensive

Startup Locations:

• If you know what the bad code is and its file name it’s easier to search registry and Windows configuration files for file name

• When unknown, use tools such as – EnCase Scan Registry Enscript

– Autoruns by Sysinternals

Where are auditing settings stored?

• In most cases you won’t be able to open the LSS applet to determine auditing level on live system

• Stored in registry:

HKLM\SECURITY\Policy\PolAdtEv