Since being introduced in Windows 3.1, the Windows registry has continued to add new and interesting information as the operating system progresses. Storing data about executed programs, accessed files, USB devices, Internet browsing history, and even the directory structure of external devices, the registry is a truly a treasure trove of information – if you know where to look. This presentation explores some of this information, including tools that can be used to extract important data. In addition, the impact of anti-forensics tools on the registry is discussed as well as techniques used by forensic examiners to recover data targeted by anti-forensics tools. I. Introduction: What is the Windows registry? 1) Registry structure: presented as single hierarchical database, but comprised of multiple files 2) Quick overview of registry hives: Software, System, Sam, Security, Ntuser.dat, Usrclass.dat a) Include slide/diagram highlighting progression of the registry through different versions of Windows II. Questions the registry can help answer (and finding those answers) 1) Operating system details: OS build, installation date, service pack, deleted user profiles, etc. a) Correlating data from the Software and Sam hive 2) What applications have been executed? a) UserAssist, MuiCache, AppCompatCache, RunMRU b) Briefly cover common autostart locations as well 3) What files have been accessed? a) RecentDocs, ComDlg32, Application-specific MRUs (Adobe, MS Office) aa) Highlight MS Office 2013 (new functionality = even more data stored in the registry) 4) What websites have been visited (and when)? a) TypedURLs, TypedURLsTime (Windows 8) 5) What USB devices have been connected to the system? a) USBSTOR, USB, EMDMgmt, MountPoints2, Shellbags III. Tools for extracting information from the registry 1) From offline hives a) RegRipper, Access Data Registry Viewer 2) From a live system a) Registry Decoder, yaru IV. The Impact of Anti-Forensics Tools 1) Discuss what areas of the registry each of the following tools attempts to clean: a) CCleaner b) Privazer c) SecureDriveErase V. Anti-Anti Forensics 1) Recovering deleted registry keys and values 2) Utilizing the RegBack directory 3) Utilizing Volume Shadow Copies VI. Take-Aways (Summary) Jason Hale is a Computer Forensic Examiner at One Source Discovery and has worked in the computer forensics field for the last six years. Jason earned his M.S. in Digital Forensics from the University of Central Florida, is a graduate of the Computer Information Systems Information Security track at the University of Louisville, currently serves as an adjunct instructor of Computer Forensics at the University of Louisville, and has been published in peer-reviewed technology journals including The Journal of Digital Investigation and the ISSA journal. He is also a Certified Computer Examiner (CCE) and a member of the Consortium of Digital Forensic Specialists (CDFS). Jason enjoys researching new and existing computer forensic artifacts in an effort to determine as much as possible from the data residing on a digital device and releases some of his findings, including custom scripts and applications, on his blog.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek