csn08101 digital forensics
play

CSN08101 Digital Forensics Lecture 10: Windows Registry Module - PowerPoint PPT Presentation

CSN08101 Digital Forensics Lecture 10: Windows Registry Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Lecture Objectives Windows Registry Structure Properties Examples Timeline Analysis Web


  1. CSN08101 Digital Forensics Lecture 10: Windows Registry Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

  2. Lecture Objectives • Windows Registry – Structure – Properties – Examples • Timeline Analysis • Web Browsers – Internet Explorer – FireFox

  3. WINDOWS REGISTRY

  4. Road to Central Depository • DOS – config.sys & autoexec.bat • Windows 3.0 – INI file • Windows 3.1 – Start of the idea of a central repository • Windows 95 and beyond – Establishment and expansion of the registry

  5. Understanding the Windows Registry • Registry – A database that stores hardware and software configuration information, network connections, user preferences, and setup information • For investigative purposes, the Registry can contain valuable evidence • To view the Registry, you can use: – Regedit (Registry Editor) program for Windows 9x systems – Regedt32 for Windows 2000 and XP

  6. Organisation and Terminology • At the physical level – Files called hives – Located in: %SYSTEMROOT%\System32\config • Keys (analogous to folders) • Values (analogous to files) • Hierarchy: – Hives • Keys – Values

  7. Hives

  8. Value Key

  9. Hive Properties • HKEY_USERS – all loaded user data • HKEY_CURRENT_USER – currently logged on user (NTUSER.DAT) • HKEY_LOCAL_MACHINE – array of software and hardware settings • HKEY_CURRENT_CONFIG – hardware and software settings at start-up • HKEY_CLASSES_ROOT – contains information about application needs to be used to open files

  10. File Locations and Purpose

  11. Windows 7 Root Keys Windows 7 Root Keys

  12. Registry: A Wealth of Information Information that can be recovered include: – System Configuration – Devices on the System – User Names – Personal Settings and Browser Preferences – Web Browsing Activity – Files Opened – Programs Executed – Passwords

  13. Forensic Analysis - Hardware

  14. Windows Security and Relative ID • The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group. • The Security ID (SID) is used to identify the computer system. • The Relative ID (RID) is used to identity the specific user on the computer system. • The SID appears as: – S-1-5-21-927890586-3685698554-67682326-1005

  15. Forensic Analysis – User ID • SID (security identifier) – Well-known SIDs • SID: S-1-0 Name: Null Authority • SID: S-1-5-2 Name: Network – S-1-5-21-2553256115-2633344321-4076599324-1006 • S string is SID • 1 revision number • 5 authority level (from 0 to 5) • 21-2553256115-2633344321-4076599324 - domain or local computer identifier • 1006 RID – Relative identifier • Local SAM resolves SID for locally authenticated users (not domain users) – Use recycle bin to check for owners

  16. Forensic Analysis - Software

  17. Forensics Analysis: NTUSER.DAT • Internet Explorer – IE auto logon and password – IE search terms – IE settings – Typed URLs – Auto-complete passwords

  18. Forensics Analysis - NTUSER.DAT IE explorer Typed URLs

  19. Forensic Analysis – MRU List A “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in case the user returns to them in the future. Essentially, their function is similar to how the history and cookies act in a web browser.

  20. Forensic Analysis – Last Opened Application in Windows

  21. Forensic Analysis – USB Devices

  22. RegRipper The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista and 7) family of operating systems.

  23. TIMELINE ANALYSIS

  24. System Time • Determined by booting into the BIOS and comparing it with an external source – Radio Signal Clock or Time Server • CMOS Clock – Complementary Metal Oxide Semiconductor Chip (CMOS) – Accessed by most OS to determine the time

  25. Operating System Time • Embedded within the file system or high level file metadata • Will take into account local time (or not!) • Can confuse an investigation depending on tool configuration and time zone • Will ask for the time from the BIOS CMOS

  26. Program Time • Programs will ask for the time from the OS • They can bypass the OS and ask for the time directly from the BIOS • It’s important to check and understand where a program gets its time details from.

  27. OS Time – DOS • MS DOS time/date Format (FAT File System) • Stored as local time • Used for MAC information • 32 Bit Structure – Seconds (5 bits from offset 0) – Minutes (6 bits from offset 5) – Hours (5 bits from offset 11) – Days (5 bits from offset 16) – Months (4 bits from offset 21) – Years (7 bits from offset 25)

  28. 64 Bit Windows FILE TIME • 64 bit number measuring the number of 100ns intervals since 00:00:00, 1 st Jan, 1601 – 58,000 year lifetime • Stored in the MFT – MAC

  29. Unix Time • 32-bit value • Number of seconds elapsed since – 1 st January 1970, 00:00:00 GMT • Limit – Monday, December 2 nd , 2030 and 19:42:58 GMT

  30. Local and UTC time translation • Coordinated Universal Time (UTC) – Effectively the same as GMT • Modern OS calculate the difference between local time and UTC and store the time/date as UTC

  31. Local Time vs UTC • 00 DB A2 F7 5C B1 C5 01 (Localtime) – 127703177299680000 • 00 7B B4 7E 7E B1 C5 01 (GMT) – 127703321299680000 • Difference: – 144,000,000,000 • Verify: – 144,000,000,000 * 0.0000001 = 14,400 – 100 ns = 10 millionth of a second – 3,600 s in 1 hour. 14,400 in 4 hours – = 4 hours

  32. Time and the Registry • ME/XP/Vista/Windows 7 – HKEY_Local_Machine/System/Current ControlSet/Control/TimeZoneInformation/Bias • ActiveTimeBias – Amount of time (+ or -) to add to UTC – StandardName - Time Zone

  33. GMT No adjustment required

  34. EST

  35. WEB BROWSERS

  36. Browsers • The major browsers (most to least-used): – Internet Explorer – 61.58% – Mozilla Firefox – 24.23% Hitslink.com – February 2010 – Everything else! – 14.19%

  37. Internet Explorer - storage Stores files used in displaying web pages (cache), tracking pages visited (history) and automatic identification / authentication (cookies, credentials) • Viewed pages will retrieve its page code and embedded files (such as graphics) from the hard drive rather than the server, so the page loads faster (cache) • Able to see a record of recently visited pages (history) • No sign in again at sites that require it, or to specify preferences again (cookies and credentials). Also cookies are used by the visited site and other sites to track web browsing, which is a privacy discussion on its own.

  38. IE – Browsing History With Cache Files • For the subject's browsing history ( index.dat and the cache files themselves – in subdirectories), use Windows Explorer to look in C:\Documents and Settings\<subject User’s ID>\Local Settings\Temporary Internet Files\Content.IE5\ C:\Users\<subject User’sID>\AppData\Local\Microsoft\ Windows\Temporary Internet Files\Content.IE5

  39. IE – Browsing History Without Cache Files • For the subject's browsing history ( index.dat without the cache files), use a browser (NOT Windows Explorer) or command prompt to look in C:\Documents and Settings\<subject User’s ID>\Local Settings\History\History.IE5\ Daily history: MSHist01(start)YYYYMMDD(end)YYYYMMDD Weekly history: MSHist01(start)YYYYMMDD(end)YYYYMMDD

  40. IE – Index.dat In Depth - Header ��������������� �����������������������������

  41. IE – Index.dat In Depth - Activity Record �������� ������ ����������������������� ����������������������� �������� ��� ������ ��������� ����� ������� ������ ������������������

  42. IE – What If The Subject Clears The Cache? • In IE6, when you select Delete Files, the cache files are deleted from the hard drive, but the entries in index.dat are marked “free” and NOT removed! • IE7 & 8 is more thorough – Selecting Delete Files removes both the files and the entries in index.dat (although you can restore the files themselves as they are not overwritten)

Recommend


More recommend