Posted on April 8th, 2008 by Harlan
You’re probably looking at the title of this blog post and thinking…what? What’s he talking about? Well, as an incident analyst (which includes performing forensic examinations), I many times have to attempt to determine user login times, user activity on the system (applications run, files opened or modified), USB removable storage devices connected to the system (what type of device, and when it was connected), as well as a wide variety of other bits of information. On Windows systems, an excellent resource for this information is the Windows Registry, which is described by MS as “a central hierarchical database used in Microsoft Windows…used to store information that is necessary to configure the system for one or more users, applications and hardware devices.” (KB256986).
At its core, the Registry consists of different types of cells, the two primary types that we’re interested in being keys and values. Registry keys appear in Registry viewers such as RegEdit as the folders in the left-hand pane, and values appear in the right-hand pane along with their associated data.
Registry keys have a value associated with them called their “LastWrite time”. This is an 8-byte FILETIME object that records the date and time that the key was last modified (in this way, it is analogous to a files last modification time). Therefore, if a value or subkey is added to or deleted from a key, then the LastWrite time will be updated accordingly. (NOTE: As of yet, I have been unable to locate a publicly accessible API for modifying a key’s LastWrite time to an arbitrary value; there are, however, publicly available APIs for modifying file MAC times.)
Registry values do not have timestamps built into their structures the way that keys do, but many values include FILETIME objects embedded within their binary data. For example, beneath the UserAssist keys, many of the values found within the Count subkey have 16 bytes of binary data associated with them, and the last 8 bytes is a FILETIME object, indicating when that action was last taken. In addition, there are several values whose data is simply a 4-byte Unix time value.
The key to viewing the Registry as a log file is to understand what actions within the system cause various Registry keys and values (particularly values that record a timestamp) to update their timestamp value. In this way, we can then associate that action with a specific date and time.
For example, when a user accesses a file via one of the many graphical user interface (GUI) applications available for Windows, the application will maintain a list of the recently accessed files, so that those files can be quickly accessed at a later date, simply by opening the application and clicking on the File menu item…in many cases, the list of recently accessed files appears at or near the bottom of the drop-down menu. This is referred to as a “most recently used” or MRU list. In many Windows applications, the MRU list is maintained within a key, and the values within the key are updated each time a file is accessed with that application. Therefore, the most recently accessed file (as maintained by either the value naming scheme, or within an MRUList or MRUListEx value) can be directly associated with the key’s LastWrite time. By understanding the modification technique for various applications on the system, and then querying all of those keys and values, a forensic analyst can develop a timeline of when specific files were accessed by a user.
I mentioned the UserAssist keys earlier…beneath these keys, the Count subkeys contain a wealth of information about user activities that can be used by a forensic analyst to associate a specific user action (double-clicking an application icon, navigating the Start->Programs menu to launch an application, etc.) to the last time that that action had been performed. For example, this type of Registry analysis has been used to clearly demonstrate that a user account was used to install, launch, and then uninstall a password cracking application on a compromised host. While there were no easily discernible indications of this activity within the file system itself, the contents of the user account’s NTUSER.DAT hive file clearly showed not only that this activity occurred, but when.
There are a wide variety of Registry keys within the various hive files that can be used to answer a number of questions. For example, Registry keys and values can be used to determine which USB removable storage devices had been connected to a system (as well as the date/time that they were last disconnected from the system), when the system had last been connected to particular wireless SSIDs, the last time users had connected to remote systems and network shares, etc.
The Registry maintains a great deal of configuration information about the system, as well as about user activities. The fact that the Registry also maintains timestamps for a great number of actions and modifications that occur on the system clearly demonstrates that for a forensic analyst the Registry is a prolific and detailed log file. What’s currently missing for forensic analysts is a tool that provides that information in an easy-to-view and understand manner. This is an issue I will be addressing, through the use of a specific tool (dubbed “RegRipper”) in my next blog post.
Thanks!
Posted in The Art of Log Analysis |
The Academy (