# Registry ## Registry Examination ### Online registry analysis * Registry analysis in active system * Viewable through RegEdit (regedit.exe), RegEdt32 (regedt32.exe) () The Data is stored in the main folders in a Tree like structure which is called Hive and its subfolders are called KEYS and SUBKEYS where each component’s configuration is stored called VALUES. | Root key | Abbreviation | Explanation | | ----------------------- | ------------ | ------------------------------------------------------------------------------------------------------- | | HKEY\_CLASSES\_ROOT | HKCR | HKLM\SOFTWARE\Classes and HKU\Classes | | HKEY\_CURRENT\_USER | HKCU | Subkey of the currently logged in user among the user profiles under HKU | | HKEY\_LOCAL\_MACHINE | HKLM | Collection of hive files and memory hive existing on the system | | HKEY\_USERS | HKU | NTUSER.DAT file existing in the user root folder | | HKEY\_CURRENT\_CONFIG | HKCC | Contents of HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current | | HKEY\_PERFORMANCE\_DATA | HKPD | Performance count (not accessible through the registry editor, accessible only with registry functions) | ![Registry Key and Value](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFEylzAhUxiA062ewmY%2F-MFEynRzws2Cnujw3-Wo%2Fimage.png?alt=media\&token=2aa3ea99-1681-43d1-b1f8-1639c63f7a22) ### Offline registry analysis * Registry analysis in inactive systems (forensic replication drives or images) * Registry Hive file needs to be collected #### Registry extraction * Collect registry location - Export Files * Use FTK Imager to export the folder in Windows/System32/config ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehGKgqdUA7jdcOixhz%2F-MehGO6dWaz5fNJOuSyD%2Fimage.png?alt=media\&token=af45e391-b1c7-49c8-938d-0f3961d0dc34) #### Regripper * Select the corresponding registry and the report location ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehGKgqdUA7jdcOixhz%2F-MehGUrG4PQ20FAnGkud%2Fimage.png?alt=media\&token=1982e14e-9df4-4c56-a72b-5501b404b81a) * Continue to load the other remaining registry files (e.g. Security, Software, System, NTUSER.dat) #### Registry Explorer * Open the Registry Explorer (Eric Zimmerman) * Select the Registry to view ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehGKgqdUA7jdcOixhz%2F-MehGZn97emhBCxrjinB%2Fimage.png?alt=media\&token=8120d4f2-06c4-4a45-86fa-f1064b3c8071) #### System specific hive Windows maintains five main registry hives in the path below: ``` %SYSTEMROOT%\system32\config ``` Hive files name ``` SYSTEM, SECURITY, SOFTWARE, SAM, DEFAULT. ``` #### User specific hive | Version | Path | | --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | Windows XP and Server 2003 | • \Documents and Settings\NTUSER.DAT • \Documents and Settings\Local Settings\Application Data\Microsoft\Windows\USRCLASS.DAT | | Windows Vista, 7, and Server 2008 | • \Users\NTUSER.DAT • \Users\AppData\Local\Microsoft\Windows\USRCLASS.DAT | #### Mapping | Rootkey | Files | | --------------------- | ----------------------------------------------------------------------------------------------------- | | HKLM\Software | SOFTWARE | | HKLM\Security | SECURITY | | HKLM\System | SYSTEM | | HKLM\SAM | SAM | | HKU.DEFAULT | DEFAULT | | HKU{SID} | NTUSER.DAT | | HKU{SID}\_Classes | USRCLASS.DAT | | HKEY\_CURRENT\_CONFIG | HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\XXXX (i.e. HKLM\SYSTEM\ControlSetXXX) | ### System Configuration Registry Keys | Key | Value | Description | | -------------------------------------------------- | ------------------------------- | -------------------------------------------------- | | HKLM\System\CurrentControlSet\Control\Computername | Computername, AciveComputername | | | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | | Basic information about the version of the Windows | #### CurrentVersion ![SOFTWARE\Microsoft\Windows CurrentVersion](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFG7AzMnjC_xoQtgDQ%2F-MFFGE53_PIrbTbCPHNY%2Fimage.png?alt=media\&token=f22c5c94-b87a-47a4-9e0b-29c1165783da) ``` SOFTWARE\Microsoft\Windows\CurrentVersion ``` ### Last logged in user ``` HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ``` * ***DefaultUserName*** value represents the last logged in user ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFb-PE0R1Dh7EWr9Bo%2F-MFFfrBXTdcfR4ta2Ug-%2Fimage.png?alt=media\&token=6eee6e5f-d6f6-4864-aa2a-6960e35d42ba) ### MRUs #### Recently opened files (Explorer) ``` HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs ``` This key can contain quite a number of values, all of which are binary data types. We are interested in the values that have numbers as names, which contain the names of the files accessed (in Unicode), and the value named **MRUListEx**, which records the order in which the files were accessed (as DWORDs). Given that adding a value and its associated data to the key, as well as modifying the MRUListEx value, constituted modifying the key, the **LastWrite time of the RecentDocs key will tell us when that file was accessed**. * Files such as recently opened documents, pictures, music, and videos * 2000/XP – My Recent Documents * Vista/7 – Recent Items * Check the order of search word usage through the MRUListEx key value ``` HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.MOV ``` The RecentDocs key also has a number of subkeys, each one being the extension of a file that was opened (.doc, .txt, .html, etc.). The values within these subkeys are maintained in the same way as in the RecentDocs key: The value names are numbered, and their data contains the name of the file accessed as a binary data type (in Unicode). Another value called MRUListEx is also a binary data type and maintains the order in which the files were accessed, most recent first, as DWORDs. ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-Mj8sUILk1askJCOjQu7%2F-Mj8uPaEwYHQFkdCO2cB%2Fimage.png?alt=media\&token=15c42ed9-e0f7-458b-9816-287f8eefa6f3) #### Recently executed command (Explorer) ``` HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU ``` * List of commands executed through “Start -> Run” or “Ctrl + R” * The order of the most recently executed commands is the alphabetical order of the MRUList. ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFia75xdScy9bZ1v03%2F-MFFjACzeWZs1QN9Ue-k%2Fimage.png?alt=media\&token=914512a1-ee0e-4ee6-9573-2f5ba0b0ea49) ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-Mj8uSKaRUo2N70k2TgQ%2F-Mj8vO323TAKVu7j7gG1%2Fimage.png?alt=media\&token=90e7cda3-5188-442f-83c6-bdc326e7e182) **The MRUList value within the RunMRU key tells** us that the most recent item to be typed into the Run box is item "e" * List of files opened in Paint ``` HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List ``` File{#Number}–The lower the number, the most recently opened file (saving the value at the point of exiting Paint) ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFI5UCeBxKgvfgtH-t%2F-MFFI8G-gnP-quKyU0jt%2Fimage.png?alt=media\&token=bbb0949d-67e4-47ba-bb24-764bf85222db) #### Microsoft Office usage trace * Recently opened folder ``` HKU\{USER}\SOFTWARE\Microsoft\Office\{VERSION}\{APP}\Place MRU ``` * Recently used files ``` HKU\{USER}\SOFTWARE\Microsoft\Office\{VERSION}\{APP}\File MRU ``` * Saves various traces for each application and version * Included information such as Recently opened folders, recently used files, recently used pages, recently accessed URLs, etc. ![File MRU with Registry Explorer](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFaNEDmtjus1wl6Ohw%2F-MFFauc3UtVU3ZQdkDBH%2Fimage.png?alt=media\&token=7dd4ba72-3797-466a-889c-36a597b85a7e) #### Search term list (Explorer) **Windows 7** ``` HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery ``` * List of search terms when using search in Windows 7 Explorer * Vista does not store the search term list in the registry. * Check the order of search word usage through the MRUListEx key value * 10 -> 0F -> 0E -> 0D -> 0C -> 0B -> 0A -> 04 -> 09 -> 08 -> 07 -> 06 -> 05 -> 03 -> 02 -> 01 -> 00 #### Typed Paths (Explorer) ``` HKU\{USER}\SOFTWARE\Microsoft\Internet Explorer\TypedURLs ``` The TypedURLs key maintains a list of the URLs the user types into the Address bar in Internet Explorer. However, the value names within the TypedURLs key are ordered with the most recently typed URL having the lowest number; consequently, this key doesn’t have an MRUList or MRUListEx value. ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-Mj8xzuGGapgnkMTKduX%2F-Mj8yhdXx0yIj1thEWhR%2Fimage.png?alt=media\&token=3b902924-a2f1-4037-be63-162cd2a863d4) ### UserAssist ### USB USB storage medium identification procedure 1. When the USB storage medium is connected, the bus driver is sent to the PnP administrator. 2. Connection notification using device's unique identification number (device descriptor) 3. Device descriptor - includes manufacturer, serial number, driver information, etc. 4. PnP administrator sets Device Class ID based on received information and searches for appropriate driver 5. If there is no driver, the PnP administrator in user mode receives the driver from the firmware of the device, loads it, and writes it to the registry. ``` HKLM\SYSTEM\ControlSet00X\Enum\USBSTOR\{DID, device class identifier} HKLM\SYSTEM\ControlSet00X\Control\DeviceClasses\{GUID} ``` 1. The device **driver installation process** is **saved in a log file**. 2. As a result, traces of USB devices can be identified through log files (**setupapi.log**) and registry. Precautions when checking registry key last modification time information * Each registry key stores the last modification time of the corresponding key. * Various traces of the USB can be identified by using the last modification time information, but the time of the Enum USB, Enum USBSTOR subkeys should not be considered. * According to the security policy (Windows Vista/7), the PnP administrator frequently accesses to set the sub-key security token. * RegSetKeySecurityAPI call -> change the last modification time #### USB Registry Keys #### Serial number ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MhNWfOTR2NLTTGfT74M%2F-MhNWkWWdmNFzo1DUz_l%2Fimage.png?alt=media\&token=355832f6-f7b0-4b17-92a1-76a5a93aefac) ``` HKLM\SYSTEM\ControlSet00X\Enum\USBSTOR\{Device Class ID} ``` * Device Class ID format show manufacturer, product name, and version information * For Example Ven\_\&\\&Rev\_\ ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MhlogFMW2t2hiWG2zvT%2F-MiPq1L8Q9hU1sGYCBwk%2Fimage.png?alt=media\&token=b7b05836-6b67-4000-a943-d1b4d752592c) * The serial number is a sub-key of the Device Class ID ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MhlogFMW2t2hiWG2zvT%2F-MiPptGiaBIXPLqOE7u9%2Fimage.png?alt=media\&token=4a024be7-2f20-402f-b5e5-2f65272eb115) * If the USB devices have a unique serial from their respective manufacturers. &0 or &1 will be displayed at the end of the serial number. * If instead the second character is an & then the device does not have a unique serial number and Windows has issued one which is unique to the local system only. ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MiPsBqmDBlq0joXM_fL%2F-MiPsFQiWSvM4YpDfH4T%2Fimage.png?alt=media\&token=2f8406c2-79df-4ff5-800f-9ba80f2cff4f) ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFndrKq4Ddghrf_Th9%2F-MFFnkhj4O4qx9OSN5Zc%2Fimage.png?alt=media\&token=542e03cb-734d-4a67-afbf-0585b26002bd) #### Vendor ID, Product ID ``` HKLM\SYSTEM\ControlSet00X\Enum\USB ``` * VID*####\&PID*#### -> Vendor ID, Product ID ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFndrKq4Ddghrf_Th9%2F-MFFnhmLx83GiIPURyVW%2Fimage.png?alt=media\&token=3121acaa-cf69-4e57-bb8c-a0e4b58e8787) #### Connected volume name ``` HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices ``` Under Devices, search for a key including product name or serial number among subkeys ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MhNX8PBEFnIsH2HBCxp%2F-MhNXQczVRzlzoEEheCp%2Fimage.png?alt=media\&token=c180a4e1-7e50-46ca-8f7f-4a44970e89fe) ***FriendlyName (i.e. Volume Name)*** ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFsgSSsk8jXfokZlb4%2F-MFFtGw26XCOsemmleC9%2Fimage.png?alt=media\&token=72cb27cd-8869-4925-9c32-09b76143fa69) ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MFFsgSSsk8jXfokZlb4%2F-MFFtNfH7UNqyvs6sDcA%2Fimage.png?alt=media\&token=54979944-9aa6-4e37-8cf3-1a3f489ba551) In this example, here the **FriendlyName** (i.e. Volume Name) is KINGSTON ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MhNX8PBEFnIsH2HBCxp%2F-MhNXuHMkvXwzAYN2PNJ%2Fimage.png?alt=media\&token=39f0c12b-a4c0-42c6-8f29-04212ef9b0ae) One more example, here the **FriendlyName** (i.e. Volume Name) is FOR408-USB If there's not Serial Number in like the second key, then we go to the following key to look for the bracket value (i.e. {c0b076c....}) ``` SYSTEM\CurrentControlSet\Enum\USBSTOR\\\Device Parameters\Partmgr ``` ![1. Find the value in the USB TOR Key ](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-Mj8PL4-LXgf30428SNk%2F-Mj8R5eZngUBjb4kFrN1%2Fimage.png?alt=media\&token=b829452e-05ce-49ae-81a2-864ff71fa623) ![2. Find the USB under the Devices Key](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-Mj8PL4-LXgf30428SNk%2F-Mj8RYMp5PrtuC53zmQb%2Fimage.png?alt=media\&token=f3aab3a7-ed29-4aa6-aad9-cb8ebe388be4) ![3. Look up the FriendlyName of the Key](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-Mj8PL4-LXgf30428SNk%2F-Mj8RkRGlQVdPxVHwbKQ%2Fimage.png?alt=media\&token=4b28b16b-82a7-421c-965c-f11157a306c9) Then we can correlate to the value under Windows Portable Devices with the bracket value #### Volume Serial Number * VSN is created by Windows Vista and up Operating Systems each time the device is formatted. ``` SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt ``` ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-Mj8ZAID0DAbEGa_52uL%2F-Mj8ZIM2hys1rzM9yOrh%2Fimage.png?alt=media\&token=71feef56-5297-4ba5-9cf2-4a5fdb9f24bb) This is a Decimal value of the Volume Serial Number, which is a **Hexadecimal value**. Convert this value into the Hex and you have your Volume Serial Number. You can check with the **vol** command with the device connected. *Note: The Volume Serial Number can change for the device if it is formatted, as the Volume Serial Number is allocated after the Format.* *Note: It is important to make note of the Volume Serial Number and the Volume Name for use in analysing the Link (.lnk) files* #### Determine the Drive Letter ``` SYSTEM\MountedDevices ``` * When a USB removable storage device is connected to a Windows system, it is assigned a drive letter; that drive letter shows up in the MountedDevices key. * If the device is assigned the drive letter F:\\, the value in the MountedDevices key will appear as \DosDevices\F:. * We can map the entry from the USBSTOR key to the MountedDevices key using the **ParentldPrefix** value found within the unique instance ID key for the device. ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MjCk6JUdBWQZGxPwdy2%2F-MjCnEc33i08EY0AtOoj%2Fimage.png?alt=media\&token=a30b4b64-f241-41f8-b2d6-6ab7f7b75a5b)