Transcript Windows Registry

1
Lecture 7
Forensic Analysis of Windows Systems
(contd.)
Prof. Shamik Sengupta
Office 4210N
[email protected]
http://jjcweb.jjay.cuny.edu/ssengupta/
Fall 2010
2
What we will cover today
 Forensic analysis of Windows systems
– Registry
– Time zone
– Print Spool
3
Windows Registry
 What is the registry?
– Think of it as a large database of settings and information
– Settings for
– computer,
– applications,
– services,
– security and
– Users
 Microsoft Defn.
– “A central hierarchical database used to store information
that is necessary to configure the system for one or more
users, applications and hardware devices.”
4
Registry Files

The Window’s registry is a repository for configuration
information
– On Windows 95/98, the registry is comprised of files
– windows\system.dat, windows\user.dat, etc
– On Windows NT/2000 onward,
– several hive files located in systemroot\system32\config,
– ntuser.dat

The registry contains information about many aspects of the
system in “separate compartments”
– It can be viewed using “regedit” or regedt32 from command line
– It can be viewed using EnCase
5
A snapshot of Registry using regedit
6
Registry Hives
 Windows Registry – four main system hives
–
–
–
–
Software (HKEY_LOCAL_MACHINE\Software)
System (HKEY_LOCAL_MACHINE\System)
Security (HKEY_LOCAL_MACHINE\Security)
SAM (HKEY_LOCAL_MACHINE\SAM)
– Often clubbed as HKLM
 User hive
– HKEY_USERS\...
– HKU
7
HIVES
Subtree
Filename
HKEY_LOCAL_MACHINE\System
Windows\system32\config\System
HKEY_LOCAL_MACHINE\Software
Windows\system32\config\Software
HKEY_LOCAL_MACHINE\Security
Windows\system32\config\Security
HKEY_LOCAL_MACHINE\SAM
Windows\system32\config\SAM
Subtree
Filename
HKU\[…]
NTUSER.DAT (in \documents and
settings…)
One for each user
8
User Hive
 When Windows loads a user profile, the OS loads
the hive file into the HKEY_USER subtree
 For the current user,
– Windows links HKEY_CURRENT_USER (HKCU) to
HKU\SID
 Use EnCase to mount your NTUSER.dat
– Find the homepage for Internet explorer for this user
account
9
Closing a mounted Registry Hive
 Closing a mounted registry hive is important!
– If you mount all the hives and saved your case, it will take
a long time for the case to open next time
– A mounted hive does use extra RAM from your computer
 How to close?
– Select the “Devices” tab
– You will see the mounted hives in the table pane
– Right-click on the hive and select “Close”
10
Time Zone information
 When conducting forensic investigation on a
computer
– It is critical to determine the time zone settings of hard
drives that have the Windows OS installed
 How to understand time zone settings
– Use Registry information
– Which Hive contains this info?
11
System Registry Hive
Mount the System
12
System Hive
13
Now a pause and look into the System Hive

There are lot of folders and possibly lot of “ControlSet” folders

What are these ControlSet folders?
– A control set contains system configuration information such as device drivers
and services
– Several instances of control sets when viewing the Registry
– Some are duplicates or mirror images of others and some are unique
– Depending on how often you change system settings or have problems with the
settings you choose
– A typical installation of Windows may contain two/four
–
–
–
–
\ControlSet001
\ControlSet002
\CurrentControlSet
\Clone
14
ControlSet folders

A typical installation of Windows may contain two/four
–
–
–
–
\ControlSet001
\ControlSet002
\CurrentControlSet
\Clone
– ControlSet001 may be the last control set you booted with
– ControlSet002 could be what is known as the last known good control set, or the
control set that last successfully booted Windows
– The CurrentControlSet subkey is just a pointer to one of the ControlSetXXX keys
– Clone is a clone of CurrentControlSet, and is created each time you boot your
computer
 How will you know which folder is for what?
– In order to better understand how these control sets are used,
we need to access another subkey: “Select”
15
Select


Select is also under the SYSTEM key
Select contains the following values:
–
–
–
–

Current
Default
Failed
LastKnownGood
Each of these values contain a REG_DWORD data type and refer
to specifically to a control set
– For example, if the Current value is set to 0x1, then CurrentControlSet
is pointing to ControlSet001
– Failed refers to a control set that was unable to boot Windows NT
successfully
– The Default value usually agrees with Current
16
Viewing Select
17
Viewing Select
18
Time zone information
19
Time zone information
20
Time zone information

Bias – Minutes offset from GMT for the time zone setting (32 bit int)
– E.g., 300

ActiveTimeBias – Minutes offset from GMT for the current time
setting (32 bit int)
– E.g., 240

DaylightBias – Minutes offset from the Bias for DST settings (32 bit
int)
– E.g., -60

StandardBias – Minutes offset from the Bias for the standard time
(usually 0)

DaylightName – Name of the time zone DST setting (Unicode)

StandardName – Name of the standard time zone setting (Unicode)
21
Time zone information

DaylightStart, StandardStart:

Format: 8 fields:
– each field is a 16 bit integer (2 bytes)
– 2-byte pad (00 00) Month Week Hour Minutes Secdonds Millisec Day
22
Printing

Printing involves a spooling process whereby the sending of data to a printer is
delayed
– The delay allows the application program to continue to be responsive to the user
– The printing takes place in the background

Print spooling is accomplished by creating temporary files that contain both the
data to be printed and sufficient information to complete the print job
– Files with extensions .SPL and .SHD are created for each job
– .SHD file is a ‘shadow’ file that contains information about the print job including
owner, the printer, the name of the file printed and the printing method (EMF or RAW)
– In RAW format, the .SPL file contains the data to be printed
– In EMF format, the .SPL file contains the name of the file printed, the method and a
list of files that contain the data to be printed
– .SHD, .SPL files are deleted after the print job completes
23
Printing (Continued)

In Windows, the spool files are kept in
– <system folder>\system32\spool\printers

The .SPL and .SHD files contain the name of the file to be
printed including its fully qualified path
– The path may suggest that other media containing evidence exist

If the original file that the user printed does not exist on the
seized evidence, the file may be found in enhanced metafile
format

While in Hex view, locate the letters “EMF” in the right part of
view pane
– Starting from the byte just prior to “E” select 41 bytes backwards
– Right-click on the highlighted area and view it as a picture
24
Case Example: Print Spooler Files
Print spooler evidence was the only evidence in a counterfeiting case
in Orange County, California.
Department of Consumer Affairs examiners arrested a suspect for
selling counterfeit state license certificates and seized his computer.
Although the examiner had seized some of the counterfeit certificates
from victims, they were unable to locate evidence on the computer.
When the examiner requested a second view from the California
Department of Insurance, Fraud Division, the Computer Forensic
Team identified several deleted enhanced metafiles that exactly
matched the paper copies that had been seized during the
investigation.
The only evidence present on the drive was the enhanced metafiles.
The defendant was convicted at trial.
25
NTFS Log File

An artifact unique to an NTFS volume is the $LOGFILE
– created during the formatting of an NTFS volume

$LOGFILE keep track of transactions and enable NTFS to
recover from system crashes
– transaction: set of operations that cause a change to file system
data or to a volume’s directory structure
– The operations are treated as a set, or transaction, for the
purpose of maintaining the integrity of the volume if a system
failure occurs
– E.g. To delete a file, necessary steps ($BITMAP file change to show
clusters as unallocated, MFT record marked as deleted, deletion of index
entry) are recorded in the $LOGFILE so that each step in a transaction can
be executed again or each step can be undone if problem arises
– If a crash occurs, NTFS can recreate any transactions that
completed and can undo or complete partially completed
transactions
26
NTFS Log File (Continued)

$LOGFILE is maintained by NTFS and its MAC times are not
updated

Any information found in this file was put there because a
transaction occurred

This carries weight since it verifies that the file was in some
way used on the computer

It is common to locate several file names in the $LOGFILE that
no longer exist anywhere else on the volume
– The recovery of file names with their associated dates and times
can be relevant evidence
27
NTFS Log File (Continued)

$LogFiles structuring is not entirely clear outside MS!

Some of the information that may be located in the $LOGFILE
– Index entries
– Index entries are folder entries
– Each entry describes one file including its name and MAC times
– Copy of MFT record
– MFT records all begin with ‘File’ followed by a hex value usually ‘2a’
– These records are located by searching the $LOGFILE for this repeating
pattern
– Link files
– Link files can be located by searching for the link files header within the
$LOGFILE
28
NTFS Log File (Continued)
 Some general made-easy info about $LogFile
– The logging area consists of a sequence of 4KB log records
– Magic number is “RCRD”
– The logrecord contains a sequence of variable sized records
– Similarly for the “restart” area
– Magic number is “RSTR”