www.hackers-arise.com
Open in
urlscan Pro
151.101.193.84
Public Scan
Submitted URL: http://www.hackers-arise.com/post/2016/10/21/Digital-Forensics-Part-5-Analyzing-the-Windows-Registry-for-Evidence
Effective URL: https://www.hackers-arise.com/post/2016/10/21/Digital-Forensics-Part-5-Analyzing-the-Windows-Registry-for-Evidence
Submission: On February 07 via manual from IT — Scanned from IT
Effective URL: https://www.hackers-arise.com/post/2016/10/21/Digital-Forensics-Part-5-Analyzing-the-Windows-Registry-for-Evidence
Submission: On February 07 via manual from IT — Scanned from IT
Form analysis 0 forms found in the DOM
Text Content
top of page
Skip to Main Content
Login/Sign up
BUY NOW!
Return to Home
Log In
* All Posts
Search
*
OTW
*
* * May 19, 2020
*
* 7 min read
DIGITAL FORENSICS, PART 5: ANALYZING THE WINDOWS REGISTRY FOR EVIDENCE
Updated: Dec 30, 2022
Although nearly all Microsoft Windows users are aware that their system has a
registry, few understand what it does, and even fewer understand how to
manipulate it for their purposes. As a forensic analyst, the registry can be a
treasure trove of evidence of what, where, when, and how something occurred on
the system.
In this article, I want to help you to understand how the Windows registry works
and what evidence it leaves behind when someone uses the system for good or ill.
What Is the Registry?
The registry is a database of stored configuration information about the users,
hardware, and software on a Windows system. Although the registry was designed
to configure the system, to do so, it tracks such a plethora of information
about the user's activities, the devices connected to system, what software was
used and when, etc. All of this can be useful for the forensic investigator in
tracking the who, what, where, and when of a forensic investigation. The key is
just knowing where to look.
Hives
Inside the registry, there are root folders. These root folders are referred to
as hives. There are five (5) registry hives.
* HKEY_USERS: contains all the loaded user profiles
* HKEYCURRENT_USER: profile of the currently logged-on user
* HKEYCLASSES_ROOT: configuration information on the application used to open
files
* HKEYCURRENT_CONFIG: hardware profile of the system at startup
* HKEYLOCAL_MACHINE: configuration information including hardware and software
settings
REGISTRY STRUCTURE
The registry is structured very similarly to the Windows directory/subdirectory
structure. You have the five root keys or hives and then subkeys. In some cases,
you have sub-subkeys. These subkeys then have descriptions and values that are
displayed in the contents pane. Very often, the values are simply 0 or 1,
meaning on or off, but also can contain more complex information usually
displayed in hexadecimal.
ACCESSING THE REGISTRY
On our own system—not in a forensic mode—we can access the registry by using the
regedit utility built into Windows. Simply type regedit in the search window and
then click on it to open the registry editor like that below.
Information in the Registry with Forensic Value
As a forensic investigator, the registry can prove to be a treasure trove of
information on who, what, where, and when something took place on a system that
can directly link the perpetrator to the actions being called into question.
Information that can be found in the registry includes:
* Users and the time they last used the system
* Most recently used software
* Any devices mounted to the system including unique identifiers of flash
drives, hard drives, phones, tablets, etc.
* When the system connected to a specific wireless access point
* What and when files were accessed
* A list any searches done on the system
* And much, much more
Wireless Evidence in the Registry
Many hackers crack a local wireless access point and use it for their
intrusions. In this way, if the IP address is traced, it will lead back to the
neighbor's or other wireless AP and not them.
For example, back in January 2012, an Anonymous member, John Borrell III, hacked
into the computer systems of the Salt Lake City police department and the Utah
Chiefs of Police. The FBI was called in to investigate and they traced the
hacker back to the IP address of Blessed Sacrament Church's Wi-Fi AP in Toledo,
Ohio. The hacker had apparently cracked the password of the church's wireless AP
and was using it to hack "anonymously" on the Internet.
Eventually, the FBI was able to find the suspect through various investigation
techniques, mostly low-tech, exhaustive, detective work. It helped that John
Borrell had bragged on Twitter of his success as a hacker. Eventually, Mr.
Borrell was convicted and sentenced to two years in Federal prison.
When the FBI tracked down Mr. Borrell and seized his computer, they were able to
prove he had been connected to the church AP by examining his registry. The
forensic investigator simply had to look in the registry at this location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Profiles
There, you will find a list of GUIDs of wireless access points the machine has
been connected to. When you click on one, it reveals information including the
SSID name and the date last connected in hexadecimal. So, although Mr. Borrell
initially denied his involvement with this hack, this evidence was conclusive
and he eventually plead guilty.
You can see in this screenshot below showing the perpetrator had connected to
the "HolidayInnColumbia" SSID in November 2014.
The RecentDocs Key
The Windows registry tracks so much information about the user's activities. In
most cases, these registry keys are designed to make Windows run more
efficiently and smoothly. As a forensic investigator, these keys are like a road
map of the activities of the user or attacker.
One of those keys is the "RecentDocs" key. It tracks the most recent documents
used or opened on the system by file extension. It can be found at:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
So, for instance, the most recently used Word documents would be found under
.doc or the .docx extension depending upon the version of Word they were created
in (each key can hold up to the last 10 documents). If we go to the .docx
extension, we see the last 10 Word documents listed under this key.
When we click on one of those keys, it reveals information about the document as
seen below. We can view the document data in both hex, to the left, and ASCII,
to the right. In this case, it show that this document was a Metasploit course
outline.
In some cases, an attacker will upload a .tar file, so that is a good place to
look for breach evidence. In general, you won't see a .tar file extension on a
Windows machine, so the presence of an entry here would be something that needs
further investigation. Check the files in the .tar key and see what they might
reveal about the attack or attacker.
In civil or policy violation investigations, evidence might be found in the
various graphic file extensions such as .jpg, .gif, or .png.
TypedURLs Key
When the user types a URL in Internet Explorer, this value is stored in the
registry at:
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
*
When we open that key in the registry, it lists the last URLs that the user
visited with IE. This could reveal the source of malicious malware that was used
in the breach, or in civil or policy violation types of investigations, may
reveal what the user was looking for/at.
The values will run from urI1 (the most recent) to urI25 (the oldest).
IP ADDRESSES
The registry also tracks the IP addresses of the user interfaces. Note that
there may be numerous interfaces and this registry key tracks each interface's
IP address and related information.
HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\Parameters\Interfaces
As we can see below, we can find the IP address assigned to the interface, the
subnet mask, and the time when the DHCP server leased the IP. In this way, we
can tell whether the suspect was using that particular IP at the time of the
intrusion or crime.
Start Up Locations in the Registry
As a forensic investigator, we often need to find what applications or services
were set to start when the system starts. Malware is often set to start each
time the system restarts to keep the attacker connected. This information can be
located in the registry in literally tens of locations. We will look at a just a
few of the most commonly set keys.
Probably the most used location is:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Any software/locations designated in these subkeys will start every time the
system starts. Rootkits and other malicious software can often be found here and
they will start each time the system starts.
RunOnce Startup
If the hacker just wanted the software to run once at start up, the subkey may
be set here.
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Start Up Services
The key below lists all the services that set to start at system startup. If the
key is set to 2, the service starts automatically; if it is set to 3, the
service must be started manually; and if the key is set to 4, the service is
disabled.
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Start Legacy Applications
When legacy 16-bit applications are run, the program listed is run at:
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW
Start When a Particular User Logs On
In the following key, the values are run when the specific user logs in.
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Storage Artifacts in the Registry
Often, the suspect will use a Flash drive or hard drive for their malicious
activities and then remove them so as not to leave any evidence. The skilled
forensic investigator, though, can still find traces of evidence of those
storage devices within the registry, if they know where to look.
The registry on a Windows system varies a bit from version to version. A
skilled, professional digital forensic investigator needs to be able to work
with nearly all versions of Windows and other operating systems. Since Windows 7
is still the most widely used operating system, by far, I will be demonstrating
on it. Keep in mind, though, that this will vary slightly between versions.
USB STORAGE DEVICES
Imagine a case where we suspect that someone installed a keylogger or removed
confidential information with a USB drive. How would we find evidence that a USB
storage device was inserted and used? To find evidence of USB storage devices,
we want to look at the following key.
HK_Local_Machine\System\ControlSet00x\Enum\USBSTOR
In this key, we will find evidence of any USB storage device that has ever been
connected to this system. Expand USBSTOR to see a listing of every USB storage
device ever connected to this system.
In the screenshot above, I have circled one suspicious looking USB device. When
we expand it, it reveals a unique identifier for that device. By clicking on
this identifier, we can find much more information about the device.
As you can see in the screenshot above, when we click on the USB storage
identifier, it reveals in the right-hand window the Global Unique Identifier
(GUID), the friendly name, and the hardware ID, among other things. This may be
exactly the evidence we need to tie the suspect to their activity on this
system!
MOUNTED DEVICES
If the suspect used any hardware device that must be mounted to either read or
write data (CD-ROM, DVD, hard drive, flash drive, etc.), the registry will
record the mounted device. This information is stored at:
HKEY_LOCAL_MACHINE\System\MountedDevices
As you can see below, when we click on this key, it provides us a long list of
every device ever mounted on that machine.
If we need further information on any of those mounted devices, we can simply
click on it, and it will open a small app that will enable us to read the data
in ASCII. As you can see, this device was an IDE CD-ROM manufactured by Teac.
If there is not a TEAC CD_ROM on the system, the forensic investigator now knows
that they need to find this piece of hardware to find further evidence of the
crime.
The registry is a depository of volumes of information on what happened on a
Windows system, and by learning our way around it, we can reconstruct the
elements of a crime that it was used for.
33,401 views
12 likes. Post not marked as liked12
RECENT POSTS
See All
Software Defined Radio for Hacker: How to Spoof your Global Position (GPS) to
Hide Your Location
9,294
46 likes. Post not marked as liked46
The Default Passwords of Nearly Every IP Camera
2,043
10 likes. Post not marked as liked10
Networking Basics for Hackers, Part 1
3,442
11 likes. Post not marked as liked11
* Welcome
* About
* Who Is Master OTW?
* FAQ
* GETTING STARTED
* SCADA Hacking
* Online Courses
* Web App Hacking Course
* Security+
* Linux Firewalls
* Advanced Linux
* OSINT Course
* Network Basics for Hackers
* Scripting for Hackers
* Advanced SCADA Hacking and Security
* Automobile Hacking
* Linux Basics for Hackers
* CISSP Prep
* Introduction to Snort (IDS)
* Cyber Warrior Training
* Metasploit Basics for Hackers
* CWA Prep Course
* SCADA/ICS Security
* Digital Forensics
* Wi-Fi Hacking
* Mobile Hacking
* Reverse Engineering Malware
* Network Forensics
* Course Registration
* Online Store
* Training Packages
* MEMBERS
* Subscribers
* Subscriber PRO
* Training Schedule
* OTW's New Book
* Praise for Linux Basics
* OTW's Book Shipping US
* OTW's Book Shipping Outside US
* OTW on Youtube
* Blog
* Confessions of a Pro Hacker
* How Russian Hackers Compromised Election
* How Hackers Obtained the Panama Papers
* EternalBlue
* Hackers For Hire
* Hackers for Hire Request
* Hackers Needed
* How to Become a Hacker
* What it Takes to Become a Hacker
* Why Hacking is the Most Valuable Skills
* Essential Skills of a Master Hacker
* Hacking Fundamentals
* Linux for Hackers
* Why Every Hacker Should Know and Use Lin
* Why Every Hacker Should Know and Use Lin
* Part 1, Getting Started
* Part 2, Finding Stuff
* Part 3, Creating, Removing and Renaming
* Part 4, Networking
* Part 5, Adding and Removing Software
* Part 6, Managing Permssions
* Part 7, BASH Basics
* Part 8, Managing the User Environment
* Part 9, Text manipulation
* Part 10, Loadable Kernel Modules
* Networks Basics for Hackers
* Wireless Hacks
* Getting Started with aircrack-ng
* Cracking the WPS PIN with Reaver
* Cracking WPA2-PSK with aircrack-ng
* Evading Wireless Authentication
* Continuous DoSing a Wireless AP
* Wi-Fi Hacking without Cracking Passwords
* Mr. Robot
* Mr. Robot Hacks: Elliot Builds a Hacking
* How Elliot Covered his Tracks
* Mr. Robot Hacks: Hiding Data in Audio Fi
* How Elliot Traces the Dark Army
* How f/society Hacked Smarthome
* How Elliot Hacked the Prison
* How Angela Stole Boss's Password
* How f/society Ransomed Evil Corp
* How Elliot Created a Hacking Raspberry P
* Hack Like the NSA
* The Quantum Insert
* EXTRABACON of Cisco Firewalls
* Shadow Brokers Exploits
* OSINT
* OSINT:Case Studies
* Metasploit
* Part 1, Getting Started with Metasploit
* Part 2, Metasploit Modules
* Part 3, Metasploit Payloads
* Part 4, Connecting postgresql
* Part 5: Recon with Metasploit
* Part 6: Armitage
* Part 7, Adding a Module
* Part 8, Exploitation with EternalBlue
* Part 9, msfvenom for Custom Payloads
* Part 10: Pivoting to Control the Network
* Part 11: Exploiting MS Office Fileformat
* Part 12: Creating RC Scripts
* Part 13: Exploiting Android Devices
* Part 14: Updating the msfconsole
* Part 15: Post-Exploitation Fun!
* Part 16: SCADA Hacking with Metasploit
* Part 17: Automobile Hacking
* Part 18: AutoSploit
* Part 19: Web Delivery for Windows
* Part 20: Creating a Fake SMB Server
* Part 21: mimikatz
* Part 22: Owning with Physical Access
* Part 23: Remote Forensics
* Part 24: Evasion Modules
* Part 25: Web Delivery Linux/Unix
* Car Hacking with Metasploit
* Create a Fake SMB Server with Metasploi
* SCADA/ICS Metasploit Modules
* Metasploit Basics
* msfvenom
* Metasploit's autopwn
* Using Metasploit's psexec
* Metasploit Web Delivery for Windows
* How to Make the Meterpreter Persistent
* Ultimate List of Meterpreter scripts
* Ultimate List of Meterpreter Command
* Web Delivery for Linux/UNIX
* Mimikatz
* Metasploit Resource Scripts
* Metsploit Keywords and Commands
* Hack to Spy
* Part 1: Building a Raspberry Spy Pi
* Part 2, Building a Raspberry Spy Pi
* Part 3: Building a Raspberry Spy Pi
* Part 4: Adding Listening Capability
* Spy on Anyone's Smartphone
* Listen to Anyone's Conversation
* How to Catch a Terrorist
* How to Hack Web cams
* WebApp Hacking
* Part 5:Enumerating Usernames & Passwords
* Part 6: Brute Force WP using XMLRPC
* Part 7: Creating a Backdoor with weevely
* Part 8: Cloning a Web Site
* Part 9: XSS
* Part 10: Directory or Path Traversal
* Part 11: Local File Inclusion (LFI)
* Part 12: CSRF
* Part 13, Comprehensive Recon with TiDOS
* Part 14: OS Command Injection
* Part 15: Fingerprinting with whatweb
* Finding Hidden Directories with dirb
* Web Technologies, Part 1
* Overview and Strategy for Beginners
* Spidering a Website with Scarab
* Finding Vulnerable WordPress Sites
* Finding Vulnerabilities in WordPress
* Finding Web Vulnerabilities: Wikto
* Hacking Form Authentication with Burp Su
* Getting Started with OWASP-ZAP
* Digital Forensics Program
* Digital Forensics
* Digital Forensic Investigator Request
* Forensic Investigator for Hire
* Network Forensics
* Part 1, Capturing the Image
* Part 2, Live Memory Acquisition
* Part 3, Recovering Deleted Files
* Part 4, Finding key Evidence
* Part 5, Analyzing the Registry
* Part 6: Pre-Fetch Files
* Part 7: Browser Forensics
* Part 8: Live Analysis with Sysinternals
* Part 9: Extracting EXIF from Graphics
* Network Forensics
* Wireshark Basics
* Part 1: Analyzing an Intrusion
* Part 2: Analyzing a SCADA Attack
* Part 3: Packet Analysis EternalBlue
* Anti-Forensics
* How Elliot Covered his Tracks: shred
* BASH Shell Anti-Forensics
* Removing Evidence with BleachBit
* Automobile Hacking
* Hacking the Mitsubishi Outlander
* Part 1, The CAN Protocol
* Part 2, can-utils for Linux
* Part 3: Car Hacking with Metasploit
* Part 4: Hacking the Key Fob
* Part 5: Hacking the Remote Alarm
* Part 6: Installing the ICS Simulator
* Confidantes
* Evading AV
* Evading AV with OWASP-ZSC
* Anatomy of ClamAV
* Evading AV with Veil-Evasion
* DataBase Hacking
* Part 1: Getting Started
* Part 2: Basics of SQL Injection
* Part 3, Using sqlmap against MySQL
* Part 4, Extracting Data with sqlmap
* Password Cracking
* Scraping Potential Passwords with CeWL
* Password Cracking Strategy
* Online Password Cracking
* Online Password Cracking with Hydra
* Cracking Passwords with hashcat
* Cracking Passwords with hashcat
* password-lists
* HoneyPot
* PowerSploit
* Reconnaissance
* Operating System Fingerprinting with p0F
* Recon with unicornscan
* How to Use Maltego, Part 1
* Maltego, Part 2: Recon on a Person
* Google Hacking
* Email Scraping and Maltego
* Finding Website Vulnerabilities with Nik
* Abusing DNS for Recon
* nmap for recon and DoS
* hping for Reconnaissance
* Hacking Bluetooth
* Part 2, Blutooth Recon
* Part 3, The Bluebourne Exploit
* Hacking Facebook
* Getting Facebook Credentials without Hac
* Facebook Password Extractor
* Exploit Development
* Part 1, Anatomy of Buffer Overflow
* Part 2, Writing a Simple Buffer Overflow
* Part 3, Fuzzing with Spike
* Reverse Engineering Malware
* Anatomy of Ransomware
* Part 1, Reverse Engineering Malware
* Part 2, Assembler Basics
* Part 3, Intro to IDA Pro
* Part 4, Windows Internals
* Part 5, OllyDbg Basics
* Why Study Reverse Engineering
* Vulnerability Scanning
* Vulnerability Scanning with Nexpose
* Snort
* Snort, Part1: Installing Snort
* Snort, Part 2: Configuration
* Snort, Part 3: Sending Alerts to MySQL
* Snort, Part 4: Snort Rules
* Snort, Part 5: Testing Known Exploits
* Android Hacking
* Setting Up an Android Hacking Lab
* Android Basics
* Android Hacking: BlueBoune Exploit
* Embedding a Backdoor
* Shodan
* Scripting for Hackers
* Powershell for Hackers,Part 1
* Perl, Part 1:Intro
* Perl, Part 2: Port Scanner
* BASH Scripting
* Python 2: Building a Banner Grabber
* Python 3: Building a FTP Password Crack
* MiTM
* Hacking DNS to Re-Direct on your LAN
* MitM with Ettercap
* MitM with arpspoof
* Viewing Graphic Files with driftnet
* OTW Recommended Products
* Cyber Law
* SDR for Hackers
* Python Basics for Hackers
* Python 1: Getting Started
* SDR for Hackers
* Ransomware
* Linux Firewalls
* Advertising with Hackers-Arise
* Job Board
* Podcast by OTW
* Forum
* Members
* Mobile or Cellular Hacking
bottom of page