Upload File

computer forensics windows registry

47
COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi

Upload: cristi-lupu

Post on 29-Sep-2015

111 views

Category:

Documents


25 download

Report

DESCRIPTION

Computer Forensics Windows Registry

TRANSCRIPT

  • COMPUTER FORENSICS & WINDOWS REGISTRY

    Aradhana Pandey

    Saumya Tripathi

  • STEP 1

    In initial forensics analysis , it is important to get more information about the owner and the system. So , we should confirm the registered owner and the path of the directory in which windows was installed before forensics analysis.
  • The HKEY_LOCAL_MACHINE\Software Key contains information about the installed software and windows on the system although the HKEY_LOCAL_MACHINE\System key contains information about windows.

  • FIVE BASIC KEYS OF REGISTRY USED IN FORENSICS


  • THE REGISTRY AS A LOG

    All Registry keys contain a value associated with them called the Last Write time, which is very similar to the last modification time of a file. This value is stored as a FILETIME structure and indicates when the Registry Key was last modified. The Last Write time is updated when a registry key has been created, modified, accessed, or deleted.

  • Unfortunately, only the Last Write time of a registry key can be obtained, where as a Last Write time for the registry value cannot.

    Knowing the Last Write time of a key can allow a forensic analyst to infer the approximate date or time an event occurred. And although one may know the last time a Registry key was modified, it still remains difficult to determine what value was actually changed.

  • SIGNIFICANCE

    Using the Registry as a log is most helpful in the correlation between the Last Write time of a Registry key and other sources of information, such as MAC (modified, accessed, or created) times found within the file system.

  • AUTORUN LOCATION

    Autorun locations are Registry keys that launch programs or applications during the boot process. It is generally a good practice to look here depending on the case of examination. For instance, if a computer is suspected to have been involved in a system intrusion case, autorun locations should be looked at.

  • If the user denies their involvement then it.s possible their own system was compromised and used to initiate the attack. In a case such as this, the autorun locations could prove that the system had a trojan backdoor installed leaving it vulnerable for an attacker to use at their discretion.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceHKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (ProfilePath)\Start Menu\Programs\Startup

  • When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon) runs in the background, even after you quit all Office programs.
    Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.


  • MRU LISTS

    MRU, or .most recently used. lists contain entries made due to specific actions performed by the user. There are numerous MRU lists located throughout various Registry keys. The Registry maintains these lists of items incase the user returns to them in the future. It is basically similar to how the history and cookies act to a web browser.

  • The location of this key is HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • The chronological order of applications executed via .Run. can be determined by looking at the Data column of the MRUList. value.

  • Last accessed from RUN


  • USERASSIST

    UserAssistkey,HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs).

  • Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panelapplets, shortcut files, programs, etc.

  • With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. Even though these entries are not definitive, for they cannot be associated with a specific date and time, it may still indicate a specific action by the user.

  • These values however, are encoded using a ROT-13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the character 13 spaces away from it in the ASCII table.

  • With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. Even though these entries are not definitive, for they cannot be associated with a specific date and time, it may still indicate a specific action by the user.


  • WIRELESS NETWORKS

    A Forensic examiner can determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server. HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\,


  • LAN COMPUTERS

    The Computer Descriptions key is useful in determining whether or not a user was connected to certain computers or belonged to a specific LAN.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions.


  • USB DEVICES

    Anytime a device is connected to the Universal Serial Bus (USB), drivers arequeried and the device.s information is stored into the Registry. Thefirst important key is HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR. This keystores the contents of the product and device ID values of any USB device that has everbeen connected to the system.

  • List of all USB devices which are currently connected to the system

  • DEVICE ID


  • MOUNTED DEVICES

    There is a key in the Registry that makes it possible to view each drive associated with the system. The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system.

  • This information can be useful to a digital forensics examiner as it shows the hardware devices that should be connected to the system. Therefore, if a device is shown in the list of Mounted Devices and that device isnt physically in the system, it may indicate that the user removed the drive in attempt to conceal the evidence. In this case, the examiner would know they have additional evidence that needs to be seized.

  • INTERNET EXPLORER

    Internet Explorer is the native web browser in Windows operating systems. It utilizes the Registry extensively in storage of data, like many applications discussed thus far.Internet Explorer stores its data in the HKCU\Software\Microsoft\Internet Explorer key. There are three subkeys within the Internet Explorer key that are most important to the forensic examiner.

  • Owner has visited various sites for different transactions

  • Registry is the treasure of all Activities..Keep a safe distance


Windows Registry Forensic Tool Specification...2018/06/28  · Although Windows registry analysis techniques are already 103 generally being used in Windows forensics, there is a lack

Windows 8.x Forensics 1.0

Desktop Forensics: Windows - ULisboa · Desktop Forensics: Windows Part II.A. Techniques and Tools: Computer Forensics CSF: Forensics Cyber-Security Fall 2015 Nuno Santos

Windows Registry Analysis

Microsoft windows registry

Windows Registry Tips

FORENSICS VISUALIZATION OF WINDOWS 10 REGISTRY

Windows Registry Analysisdocshare04.docshare.tips/files/29584/295845431.pdf · 2017-02-05 · Registry Forensics Registry Analysis: Perform a GUI-based live-system analysis. Easiest,

Introduction ACCESSDATA ® FORENSICS Forensic AnalysisIncident ResponseeDiscoveryInformation Assurance Windows 7 Registry Artifacts

Analysis of the Windows Registryweb.cse.msstate.edu/~hamilton/Forensics/Basic/Registry_Analysis.pdf · Mississippi State University Digital Forensics 10 Registry File Layout • Official

Digital Forensics Expert - Zoom Cybersense · Digital Forensics Expert ... o The Registry . o Windows Swap file o Index.dat o Memory Analysis o How to deal with Encrypted drives and

Registry Forensics

DATA64- Windows Forensics

Schwarzbuch: Windows 7-Registry-Tricks - basilea.itbasilea.it/Wissen/Schwarzbuch - Windows 7-Registry-Tricks.pdf · Schwarzbuch: Windows 7-Registry-Hacks 4 späteren Zeitpunkt per

15 Registry Forensics - Villanova Universitydprice/fall2014/slides/16_Registry Forensics… · • The registry is a “central hierarchal database” intended to store information

15 Registry Forensics - Villanova

Windows 8 Forensics & Anti Forensics

Windows registry forensics

windows Registry trükkök

Windows Registry

Computer Forensics: Working with Windows and DOS Systems · Windows Registry (cont.) •Forensics ( n o i t a m r o f n –i i.e. potential evidence) that reside in the Registry make

Defeating Windows memory forensics

Windows Logon Forensics 34132

Windows Registry (2)

CNIT 121: Computer Forensics · 2016-11-02 · Forensics 12 Investigating Windows Systems (Part 2) The Windows Registry. Purpose • The registry contains configuration data for

Windows Forensics - Exercises - JKU · Michael Sonntag, Christian Praher Windows Forensics 3 Environment More incident response than forensics No clear separation between …

Windows Forensics Exercises

Windows Registry Forensics with Volatility Framework

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence

Aradhana Pandey Saumya Tripathi - 123seminarsonly.com€¦ · COMPUTER FORENSICS & WINDOWS REGISTRY Aradhana Pandey Saumya Tripathi. STEP 1 In initial forensics analysis , it is important

Windows 7 forensics -overview-r3

Registry Analysis - SANS Computer Forensics

Windows Registry Presentation

Windows Registry Forensics.doc

Windows Registry Trukkök