The Windows registry is a collection of databases that contains system configuration data. This could include hardware, software or user configuration information.
Furthermore, it can contain data about recently used files, programs run, or devices connected to the system.
This is vital to a forensics investigation standpoint.
Structure of the Registry
Currently Windows System Contains the following 5 Root keys:
HKEY_CURRENT_USER
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
To view these you can open regedit.exe
HKEY_CURRENT_USER
Contains the root configuration information for the user who is currently logged on.
HKEY_USERS
Contains all the actively loaded user profiles on the computer
HKEY_LOCAL_MACHINE
Contains configuration information particular to the computer
HKEY_CLASSES_ROOT
Provides a view of the registry that merges information from HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
Contains information about the hardware profile that is used by the local computer
Structure
The registry contains two basic elements: keys and values. Registry keys are container objects similar to folders. Registry values are non-container objects similar to files.
Keys may contain values and subkeys.
E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE root key.
Windows Registry Hives
A hive is a logical group of keys, subkeys, and values in the registry that is a set of supporting files loaded into memory when the operating system is started or a user logs in.
If you are accessing a live system, you will be able to access the registry using regedit.exe. However, if you only have access to a disk image, you must know where the registry hives are located. The majority are stored in C:\Windows\System32\Config
Hives containing User Information
Apart from hives located in C:\Windows\System32\Config, to hives containing user information can be found in the user profile directory. The hives are;
NTUSER.DAT
USRCLASS.DAT
These are hidden files that store information about the user that is ran when the user logs in or a specific action is conducted
The Amcache Hive
Apart from the above files, there is another very important hive called the AmCache hive. It is located in C:\Windows\AppCompat\Programs\Amcache.hve. Window creates this hive to save information on program that were recently run on the system
Data Acquisition
When preforming forensics, we will either encounter a live system or an image taken of the system. Though we can view the registry through the registry editor, the forensically correct method is to acquire a copy of this data and preform analysis on the copy. However, when we go to copy the registry hives we can't because it is restricted.
Programs for acquiring these files are:
KAPE
Autopsy
FTK Imager
Exploring Windows Registry
Once we have extracted the registry hives, we need a tool to view these files as we would in the registry editor. Since the registry editor only works with live systems.
The following are tools that can be used to analyse registry hives:
Registry Viewer
Zimmerman's registry explorer
RegRipper
Recent Files
Windows maintains a list of recently opened files for each user. As we might have seen when using Windows expklorer, it shows us a list of recently used files.
This information is stored in the NTUSER hive and can be found at the location NTUSED.DATA\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Office Recent FIles
Similar to the recent docs maintained by windows explorer, Microsoft Office also maintains a list of recently opened documents. This list is also in the NTUSER hive. It can be found in the following location NTUSER.DAT\Software\Microsoft\Office\{VERSION}
Shellbags
When any user opens a folder, it opens in a specific layout. Users can change this layout according to their preferences. These layouts can be different for different folders. This information is stored in the following locations:
Windows keeps log of applications that have been ran on the system, as well as statistical data regarding these applications. However There is multiple different hives that provide different pros and cons regarding program execution logging.
UserAssist
Present in the NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorere\UserAssist\{GUID}\Count. GUID standing for Global Unique Identifier.
While UserAssist provides execution information, any program run via the command line cannot be viewed
AmCache
Includes execution path. installation, execution and deletion times, and SHA1 hashes of the executed programs. It is located at C:\Windows\appcompat\Programs\Amcache.hve
BAM/DAM
Background Activity Monitor or BAM keeps tabs on the activity of background applications. Similar Desktop Activity Moderator or DAM, is part of Microsoft Windows that is responsible for optimizing power consuption.
Migden
commented
1 month ago
Windows Registry Forensics
What is the Windows Registry?
The Windows registry is a collection of databases that contains system configuration data. This could include hardware, software or user configuration information.
Furthermore, it can contain data about recently used files, programs run, or devices connected to the system.
This is vital to a forensics investigation standpoint.
Structure of the Registry
Currently Windows System Contains the following 5 Root keys:
To view these you can open
regedit.exeHKEY_CURRENT_USER
Contains the root configuration information for the user who is currently logged on.
HKEY_USERS
Contains all the actively loaded user profiles on the computer
HKEY_LOCAL_MACHINE
Contains configuration information particular to the computer
HKEY_CLASSES_ROOT
Provides a view of the registry that merges information from HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
Contains information about the hardware profile that is used by the local computer
Structure
The registry contains two basic elements: keys and values. Registry
keysare container objects similar to folders. Registryvaluesare non-container objects similar to files.Keys may contain values and subkeys.
E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE root key.Windows Registry Hives
A
hiveis a logical group of keys, subkeys, and values in the registry that is a set of supporting files loaded into memory when the operating system is started or a user logs in.If you are accessing a live system, you will be able to access the registry using regedit.exe. However, if you only have access to a disk image, you must know where the registry hives are located. The majority are stored in
C:\Windows\System32\ConfigHives containing User Information
Apart from hives located in
C:\Windows\System32\Config, to hives containing user information can be found in the user profile directory. The hives are;These are hidden files that store information about the user that is ran when the user logs in or a specific action is conducted
The Amcache Hive
Apart from the above files, there is another very important hive called the AmCache hive. It is located in
C:\Windows\AppCompat\Programs\Amcache.hve. Window creates this hive to save information on program that were recently run on the systemData Acquisition
When preforming forensics, we will either encounter a live system or an image taken of the system. Though we can view the registry through the registry editor, the forensically correct method is to acquire a copy of this data and preform analysis on the copy. However, when we go to copy the registry hives we can't because it is restricted.
Programs for acquiring these files are:
Exploring Windows Registry
Once we have extracted the registry hives, we need a tool to view these files as we would in the registry editor. Since the registry editor only works with live systems.
The following are tools that can be used to analyse registry hives:
Recent Files
Windows maintains a list of recently opened files for each user. As we might have seen when using Windows expklorer, it shows us a list of recently used files.
This information is stored in the
NTUSERhive and can be found at the locationNTUSED.DATA\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsOffice Recent FIles
Similar to the recent docs maintained by windows explorer, Microsoft Office also maintains a list of recently opened documents. This list is also in the
NTUSERhive. It can be found in the following locationNTUSER.DAT\Software\Microsoft\Office\{VERSION}Shellbags
When any user opens a folder, it opens in a specific layout. Users can change this layout according to their preferences. These layouts can be different for different folders. This information is stored in the following locations:
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsUSRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRUNTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.DAT\Software\Microsoft\Windows\Shell\BagsUser Assist
Windows keeps log of applications that have been ran on the system, as well as statistical data regarding these applications. However There is multiple different hives that provide different pros and cons regarding program execution logging.
UserAssist
Present in the
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorere\UserAssist\{GUID}\Count.GUIDstanding for Global Unique Identifier.While UserAssist provides execution information, any program run via the command line cannot be viewed
AmCache
Includes execution path. installation, execution and deletion times, and SHA1 hashes of the executed programs. It is located at
C:\Windows\appcompat\Programs\Amcache.hveBAM/DAM
Background Activity Monitor or BAM keeps tabs on the activity of background applications. Similar Desktop Activity Moderator or DAM, is part of Microsoft Windows that is responsible for optimizing power consuption.
They are located in the:
SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}External Devices/USB decive Forensics
When preforming forensics on a machine, often the need will arise to identify if any USB or removable drives were attached to the machine.
Device Identification
The following locations keep track of USB keys plugged into a system;
SYSTEM\CurrentControlSet\Enum\USBSTORSYSTEM\CurrentControlSet\Enum\USBUser files location
The directory
C:\Documents and Settingsholds the information on users created in the Windows system such as files and settings.This is handy when analysing file system dumps to view user information