registry artifacts
play

Registry Artifacts Villanova University Department of Computing - PowerPoint PPT Presentation

Apr 03, 2023 •310 likes •979 views

Registry Artifacts Villanova University Department of Computing Sciences D. Justin Price Spring 2014 REGISTRY The registry is a central hierarchal database intended to store information that is necessary to configure the

  1. Registry Artifacts Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

  2. REGISTRY • The registry is a “central hierarchal database” intended to store information that is necessary to configure the system for one or more users, applications, and hardware devices.[1] • Goldmine for digital forensics. • Registry Breakdown • Hives (binary database files) • Keys & Subkeys (analogous to a folders) • Values (analogous to a file) • Type (strings, binary or DWORD) • Data Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014 [1] http://support.microsoft.com/kb/256986

  3. REGISTRY HIVES • SAM – Local user accounts & groups • Security – Security information used by the operating system to include password policies, group memberships, etc. • System – Hardware and service configurations • Software – Application settings • NTUSER.dat – User settings, configuration and environment settings • UsrClass.dat – More widely used in Vista/7/8 – Shellbag Information Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  4. REGISTRY HIVES • System Registry Hives � XP/Vista/7/8 C:\Windows\System32\config\SAM � XP/Vista/7/8 C:\Windows\System32\config\SECURITY � XP/Vista/7/8 C:\Windows\System32\config\SYSTEM � XP/Vista/7/8 C:\Windows\System32\config\SOFTWARE � • User Specific Registry Hives � XP C:\Documents and Settings\<USERNAME>\NTUSER.dat � Vista/7/8 C:\Users\<USERNAME>\NTUSER.dat � Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat � • Backup System Registry Hives Vista/7/8 C:\Windows\System32\config\RegBack Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  5. REGISTRY VALUE TYPES REG_NONE No Value REG_SZ Unicode or ASCII String REG_BINARY Binary Data REG_DWORD 32-bit Number REG_LINK Unicode Symbolic Link REG_QWORD 64-bit Number Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  6. VIEWING REGISTRY HIVES • Live System Analysis - regedit.exe Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  7. VIEWING REGISTRY HIVES • Offline Analysis - AccessData Registry Viewer • http://marketing.accessdata.com/acton/attachment/4390/u-011c/0/-/-/-/-/ Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  8. VIEWING REGISTRY HIVES • Offline Analysis - MiTeC Windows Registry Recovery (WRR) • http://www.mitec.cz/wrr.html Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  9. EXTRACTING REGISTRY HIVES Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  10. EXTRACTING REGISTRY HIVES Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  11. LAST WRITE TIME • Last Write Time is recorded for each key in every hive. • Time is stored in UTC. • Time stamp reflects when a value has been added or updated. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  12. SECURITY ACCOUNTS MANAGER (SAM) • Security Identifier (SID) • Recycle Bin entries, file ownership and other artifacts refer to a SID and not a username. • Microsoft Documented SID Accounts • Administrator = 500 • Guest = 501 • User Account = start at 1000 • Password fields can be misleading • Password Required = password policies applied to user accounts do not apply to this account • We will work with a much better tool to determine if a password was set for this account in the Encryption/ Password lecture! Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  13. SAM Hive Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  14. SAM Hive Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  15. SAM Hive Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  16. PROFILE LIST • Details all profiles that have used the system to include local and domain users. • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  17. PROFILE LIST • Details all profiles that have used the system to include local and domain users. • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  18. SYSTEM HIVE • Current Control Set • SYSTEM\Select\Current • Answers the following questions: • Which configuration files should be loaded? • If an error is detected, which configuration files should be tried next? • Which configuration files reported errors? Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  19. SYSTEM HIVE • Computer Name: – SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName � � • Time Zone: – SYSTEM\CurrentControlSet\Control\TimeZoneInformation � � � � • Last Access Timestamp: – SYSTEM\CurrentControlSet\Control\FileSystem Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  20. SYSTEM HIVE • Network Interfaces: – SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  21. SYSTEM HIVE • User Shares Enable: – SYSTEM\CurrentControlSet\Services\lanmanserver\Shares � � � • System Shutdown Timestamps and Counters (XP): – SYSTEM\CurrentControlSet\Control\Windows – SYSTEM\CurrentControlSet\Control\Watchdog\Display Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  22. SOFTWARE HIVE • Operating System Version: – SOFTWARE\Microsoft\Windows NT\CurrentVersion Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  23. SOFTWARE HIVE • Historical Networks (Vista/7/8): – Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures \Managed – DnsSuffix = Domain – FirstNetwork = SSID – DefaultGatewayMac = Media Access Control (MAC) Address of Gateway – Last Written Time = Last time the computer connected to this network. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  24. SOFTWARE HIVE • Historical Networks (Vista/7/8): – Not Managed by a Domain – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Signatures\Unmanaged Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  25. SOFTWARE HIVE • Network Type: – SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID} (XP) – SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList \Profiles (Vista/7/8) » NameType 0x47 = Wireless » NameType 0x06 = Wired » NameType 0x17 = Broadband » Date fields are recorded as 128-bit System date …. use Dcode to convert. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  26. AUTO-START PROGRAMS • Various Registry Locations: – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Run – NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\Run – SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce – SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run – SYSTEM\CurrentControlSet\Services • (0x02 = start) Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  27. NTUSER.DAT HIVE • Windows XP Search History – NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru • Windows 7 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \WordWheelQuery � � � � � � � • Windows 8 Search History – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \SearchHistory Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  28. NTUSER.DAT HIVE • Internet Explorer Typed URLs – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \TypedPaths Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

  29. NTUSER.DAT HIVE • Recently Accessed Files – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer \RecentDocs – MRUList shows the order in which the files were accessed. – The most recent file opened will be first. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

Recommend

Roadmap for Section 12.2. Registry Fundamentals Registry Structure Registry Limits Monitoring

Roadmap for Section 12.2. Registry Fundamentals Registry Structure Registry Limits Monitoring

Unit OS12: Scripting 12.2. The Registry Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 12.2. Registry Fundamentals Registry Structure Registry Limits Monitoring Registry

397 views • 19 slides
What is a Honeymoon Registry A Honeymoon Registry is a wedding gift registry experience for

What is a Honeymoon Registry A Honeymoon Registry is a wedding gift registry experience for

What is a Honeymoon Registry A Honeymoon Registry is a wedding gift registry experience for honeymoons and destination weddings. Our online Honeymoon Registry allows brides and grooms to list anything they want to do on their

547 views • 19 slides
Registry Principles GMTA March 15, 2017 Key Elements of Registry Principles Definition

Registry Principles GMTA March 15, 2017 Key Elements of Registry Principles Definition

Registry Principles GMTA March 15, 2017 Key Elements of Registry Principles Definition Objectives for a registry Threshold questions Data Governance Committee Well-balanced registry design Registry data use

415 views • 9 slides
Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the evidence and artifacts of earlier times help us to reconstruct the past? 2.) What are the consequences of technology? Can you guess the purpose of

587 views • 17 slides
An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts LISA '09, November 5, 2009 David Plonka &amp; Andres Jaan Tack {plonka,tack}@cs.wisc.edu Motivation and Goals Like software quality, network

406 views • 36 slides
TLD Registry Data an unstructured wander through the zoo Joe Abley Public Interest Registry

TLD Registry Data an unstructured wander through the zoo Joe Abley Public Interest Registry

TLD Registry Data an unstructured wander through the zoo Joe Abley Public Interest Registry AIMS-CAIDA Workshop San Diego, February 2020 What is a TLD Registry DNS Answer We publish the ORG zone in the DNS Highly

550 views • 18 slides
SYSTEM WHAT IS A REGISTRY? A registry is an organized system for the timely collection , storage ,

SYSTEM WHAT IS A REGISTRY? A registry is an organized system for the timely collection , storage ,

THE TEXAS TB REGISTRY SYSTEM WHAT IS A REGISTRY? A registry is an organized system for the timely collection , storage , retrieval , analysis , and dissemination of information on individual persons who have a particular disease, or a risk factor

811 views • 34 slides
http://registry.sf.net http://registry.sf.net Before We Start . . . FORGET ABOUT THE NAME

http://registry.sf.net http://registry.sf.net Before We Start . . . FORGET ABOUT THE NAME

Linux Registry Turning Linux into a Trully Integrated Operating Environment Avi Alkalay &lt;avi@unix.sh&gt; Avi Alkalay &lt;avi@unix.sh&gt; Linux, Open Standards Consultant http://registry.sf.net http://registry.sf.net Before We Start . . .

640 views • 34 slides
DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2 Artifacts Per Year Starting in 3rd Grade 5th: 6 Artifacts 8th: +6 Artifacts (Including ICP) 11th: +8 Artifacts The 4 Career 1. Career Awareness

366 views • 17 slides
Registry for Performance Metrics draft-ietf-ippm-metric-registry-05 M. Bagnulo, B. Claise, P.

Registry for Performance Metrics draft-ietf-ippm-metric-registry-05 M. Bagnulo, B. Claise, P.

Registry for Performance Metrics draft-ietf-ippm-metric-registry-05 M. Bagnulo, B. Claise, P. Eardley, A. Morton, A. Akhter Registry Draft Updates 2 Goals and a recommendation: IANA creates and maintains according to process Define

367 views • 19 slides
The Artory Registry Blockchain for the Art World The Registry is the industrys first

The Artory Registry Blockchain for the Art World The Registry is the industrys first

The Artory Registry Blockchain for the Art World The Registry is the industrys first object-oriented, public database. Leveraging Ethereum blockchain, it tracks provenance and title, and distinguishes trusted from non- trusted data for the

567 views • 7 slides
and prospective registry study data in the EBMT registry Per Ljungman, MD, PhD For the

and prospective registry study data in the EBMT registry Per Ljungman, MD, PhD For the

The challenge of COVID-19 for HSCT; EBMT recommendations and prospective registry study data in the EBMT registry Per Ljungman, MD, PhD For the Infectious Diseases Working Party Disclosures None on this topic 2 What have been the EBMT

380 views • 23 slides
Medical Marijuana Registry August 15, 2018 Document 8 Presentation 2 of 17 Overview

Medical Marijuana Registry August 15, 2018 Document 8 Presentation 2 of 17 Overview

Document 8 Presentation 1 of 17 Medical Marijuana Registry August 15, 2018 Document 8 Presentation 2 of 17 Overview Marij uana in Colorado Registry s Role Functions of the Registry Foundation of the Registry

515 views • 17 slides
The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand

The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand

The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand Media What this debate is about: To simplify terminology lets call registries producers and registrars retail stores Were debating

357 views • 18 slides
National Breast Implant Registry Andrea Pusic, MD Co-Chair, National Breast Implant Registry

National Breast Implant Registry Andrea Pusic, MD Co-Chair, National Breast Implant Registry

National Breast Implant Registry Andrea Pusic, MD Co-Chair, National Breast Implant Registry Steering Committee MDEpiNet Annual Meeting October 2017 Single Sign Up Portal What is the National Breast Implant Registry? The Plastic Surgery

500 views • 11 slides
Registry What is there to be worried about? Stephen Deerhake AS Domain Registry ccNSO Members

Registry What is there to be worried about? Stephen Deerhake AS Domain Registry ccNSO Members

GDPR and .AS Domain Registry What is there to be worried about? Stephen Deerhake AS Domain Registry ccNSO Members meeting Who we are US Territory (Like Puerto Rico!) Located at 14d 1954 S / 170d 4241W 16,111 km from

250 views • 8 slides
Registry Trust - An Introduction- Who We Are Changing Operations Registry Trust The Original

Registry Trust - An Introduction- Who We Are Changing Operations Registry Trust The Original

Registry Trust - An Introduction- Who We Are Changing Operations Registry Trust The Original Register The Lord Chancellor in the early 1980s So rather than shut down the register, a non-profit Originally set up by parliament in 1852. The

592 views • 24 slides
The case for a registry owning a registrar that sells its names Richard Tindal, SVP Registry

The case for a registry owning a registrar that sells its names Richard Tindal, SVP Registry

The case for a registry owning a registrar that sells its names Richard Tindal, SVP Registry eNom/Demand Media What this debate is about Were debating whether a manufacturer can own one of the retail stores that sells its product to the

375 views • 15 slides
New Local Internet Registry Webinar Learning and Development Overview The Internet Registry

New Local Internet Registry Webinar Learning and Development Overview The Internet Registry

New Local Internet Registry Webinar Learning and Development Overview The Internet Registry (IR) System RIPE and the RIPE NCC Tools Getting Resources 2 The Internet Registry System Section 1 The Internet Registry System 4

453 views • 42 slides
How it Works: TLD Registry Protocols Ed Lewis Steve Conte | ICANN 53 | 21 June 2015

How it Works: TLD Registry Protocols Ed Lewis Steve Conte | ICANN 53 | 21 June 2015

How it Works: TLD Registry Protocols Ed Lewis Steve Conte | ICANN 53 | 21 June 2015 Define and Focus | 3 What is a registry? Registry as defined by Merriam-Webster: &quot;a place where

742 views • 57 slides
PedNet Registry W orkshop on registries EMA/ CHMP/ BPW P Rolf Ljung for the PedNet study group

PedNet Registry W orkshop on registries EMA/ CHMP/ BPW P Rolf Ljung for the PedNet study group

PedNet Registry W orkshop on registries EMA/ CHMP/ BPW P Rolf Ljung for the PedNet study group PedNet Registry 31 centers Europe, Canada and Israel 3 PedNet and Pednet registry PedNet started 1996 PedNet Registry started 2003

791 views • 25 slides
History of the MNA Registry 1991 to 2017 THE MNAA MEMBERSHIP REGISTRY Prior to 1991,

History of the MNA Registry 1991 to 2017 THE MNAA MEMBERSHIP REGISTRY Prior to 1991,

History of the MNA Registry 1991 to 2017 THE MNAA MEMBERSHIP REGISTRY Prior to 1991, membership applica3ons were taken at the M3s Local and Regional Council offices who issued membership cards to the applicants. In 1991, the MNA, under

230 views • 12 slides
Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki

Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki

Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki Yamada and Yasuhiro Yamamoto KID Lab, RCAST, Univ of Tokyo, Japan 1 1 knowledge artifacts designed and created by human being not only:

313 views • 8 slides
National Rural Environmental Registry System Bangkok May 2017 GENERAL FRAMEWORK BRASILIAN LAND

National Rural Environmental Registry System Bangkok May 2017 GENERAL FRAMEWORK BRASILIAN LAND

National Rural Environmental Registry System Bangkok May 2017 GENERAL FRAMEWORK BRASILIAN LAND REGISTRY SISTEMS The implementation of an effective Cadastre (Registry) in Brazil is a historic challenge. The absence of this instrument

873 views • 75 slides

More recommend