aradhana pandey saumya tripathi - 123seminarsonly.com€¦ · computer forensics & windows...
TRANSCRIPT
![Page 1: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/1.jpg)
COMPUTER FORENSICS & WINDOWS REGISTRYAradhana Pandey
Saumya Tripathi
![Page 2: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/2.jpg)
STEP 1
In initial forensics analysis , it is important to get more information about the owner and the system. So , we should confirm the registered owner and the path of the directory in which windows was installed before forensics analysis.
![Page 3: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/3.jpg)
The HKEY_LOCAL_MACHINE\Software Key contains information about the installed software and windows on the system although the HKEY_LOCAL_MACHINE\System key contains information about windows.
![Page 4: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/4.jpg)
FIVE BASIC KEYS OF REGISTRY
USED IN FORENSICS
![Page 5: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/5.jpg)
![Page 6: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/6.jpg)
![Page 7: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/7.jpg)
THE REGISTRY AS A LOG
All Registry keys contain a value associated with them called the Last Write time, which is very similar to the last modification time of a file. This value is stored as a FILETIME structure and indicates when the Registry Key was last modified. The Last Write time is updated when a registry key has been created, modified, accessed, or deleted.
![Page 8: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/8.jpg)
Unfortunately, only the Last Write time of a registry key can be obtained, where as a Last Write time for the registry value cannot.
Knowing the Last Write time of a key can allow a forensic analyst to infer the approximate date or time an event occurred. And although one may know the last time a Registry key was modified, it still remains difficult to determine what value was actually changed.
![Page 9: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/9.jpg)
SIGNIFICANCE
Using the Registry as a log is most helpful in the correlation between the Last Write time of a Registry key and other sources of information, such as MAC (modified, accessed, or created) times found within the file system.
![Page 10: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/10.jpg)
![Page 11: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/11.jpg)
![Page 12: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/12.jpg)
AUTORUN LOCATION
Autorun locations are Registry keys that launch programs or applications during the boot process. It is generally a good practice to look here depending on the case of examination. For instance, if a computer is suspected to have been involved in a system intrusion case, autorun locations should be looked at.
![Page 13: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/13.jpg)
If the user denies their involvement then it.s possible their own system was compromised and used to initiate the attack. In a case such as this, the autorun locations could prove that the system had a trojan backdoor installed leaving it vulnerable for an attacker to use at their discretion.
![Page 14: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/14.jpg)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
(ProfilePath)\Start Menu\Programs\Startup
![Page 15: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/15.jpg)
![Page 16: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/16.jpg)
When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon) runs in the background, even after you quit all Office programs.Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
![Page 17: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/17.jpg)
![Page 18: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/18.jpg)
MRU LISTS
MRU, or .most recently used. lists contain entries made due to specific actions performed by the user. There are numerous MRU lists located throughout various Registry keys. The Registry maintains these lists of items incase the user returns to them in the future. It is basically similar to how the history and cookies act to a web browser.
![Page 19: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/19.jpg)
![Page 20: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/20.jpg)
![Page 21: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/21.jpg)
The location of this key is HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
![Page 22: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/22.jpg)
The chronological order of applications executed via .Run. can be determined by looking at the Data column of the MRUList. value.
![Page 23: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/23.jpg)
Last accessed from RUN
![Page 24: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/24.jpg)
USERASSIST
UserAssistkey,HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs).
![Page 25: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/25.jpg)
Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panelapplets, shortcut files, programs, etc.
![Page 26: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/26.jpg)
![Page 27: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/27.jpg)
With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. Even though these entries are not definitive, for they cannot be associated with a specific date and time, it may still indicate a specific action by the user.
![Page 28: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/28.jpg)
![Page 29: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/29.jpg)
These values however, are encoded using a ROT-13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the character 13 spaces away from it in the ASCII table.
![Page 30: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/30.jpg)
With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. Even though these entries are not definitive, for they cannot be associated with a specific date and time, it may still indicate a specific action by the user.
![Page 31: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/31.jpg)
WIRELESS NETWORKS
A Forensic examiner can determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\,
![Page 32: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/32.jpg)
![Page 33: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/33.jpg)
![Page 34: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/34.jpg)
![Page 35: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/35.jpg)
LAN COMPUTERS
The Computer Descriptions key is useful in determining whether or not a user was connected to certain computers or belonged to a specific LAN.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions.
![Page 36: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/36.jpg)
![Page 37: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/37.jpg)
USB DEVICES
Anytime a device is connected to the Universal Serial Bus (USB), drivers are
queried and the device.s information is stored into the Registry. The
first important key is HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR. This key
stores the contents of the product and device ID values of any USB device that has ever
been connected to the system.
![Page 38: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/38.jpg)
List of all USB devices which are currently connected to the
system
![Page 39: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/39.jpg)
![Page 40: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/40.jpg)
![Page 41: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/41.jpg)
DEVICE ID
![Page 42: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/42.jpg)
MOUNTED DEVICES
There is a key in the Registry that makes it possible to view each drive associated with the system. The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system.
![Page 43: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/43.jpg)
This information can be useful to a digital forensics examiner as it shows the hardware devices that should be connected to the system. Therefore, if a device is shown in the list of Mounted Devices and that device isn’t physically in the system, it may indicate that the user removed the drive in attempt to conceal the evidence. In this case, the examiner would know they have additional evidence that needs to be seized.
![Page 44: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/44.jpg)
![Page 45: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/45.jpg)
INTERNET EXPLORER
Internet Explorer is the native web browser in Windows operating systems. It utilizes the Registry extensively in storage of data, like many applications discussed thus far.Internet Explorer stores its data in the HKCU\Software\Microsoft\Internet Explorer key. There are three subkeys within the Internet Explorer key that are most important to the forensic examiner.
![Page 46: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/46.jpg)
Owner has visited
various sites for different transactions
![Page 47: Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important](https://reader034.vdocuments.net/reader034/viewer/2022042621/5f69b780470dfe58016b2b2a/html5/thumbnails/47.jpg)
Registry is the treasure of all
Activities..Keep a safe
distance…