17 Aug, 2021

The Most Important Windows Registry Files for Forensics

The  Windows registry is a database where Windows and many programs store their configuration settings.

It contains information about all the software and hardware’s settings, options, and other values. When a program is installed, a new subkey is created in the registry.

This subkey contains settings specific to that program, such as its location, version, and primary executable.

The  Windows registry are located under Windows\System32\Config\ while each Windows user account has its own NTUSER. dat file containing its user-specific keys in its C:\Windows\Users\Name directory.

Registry Hive

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in. Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile.

The most important registry Hives

  • SYSTEM (Sistem)
  • SOFTWARE (Yazılım)
  • SECURITY (Güvenlik)
  • SAM
  • DEFAULT (Varsayılan)
  • Every user profile has Ntuser.dat file which plugs in into the Registry as HKCU (HKEY current user)

Analyzing Windows Registry

First of all, we need to grab a copy of the registry hives that we need to analyzes and use any software to analyze offline hives like Registry Explorer or O&O RegEditor.

  1. HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation conducting a forensic analysis of the system the time zone information is very critical so we need to record that before begin our analysis that way any time zone conversion that you make or event correlation you perform is accurate.
  2. HKLM\SYSTEM\CurrentControlSet\Control\ComputerName Contains the computer name.
  3. HKCU\ SOFTWARE \Microsoft\Windows\Shell
  • \BagMRU
  • \Bags

Shellbags is very important files, the window position, the size, the icons, the sorting methods all those things stored in the shellbags. shellbags can show us path of a file that have been deleted on a system so we might be able to find entire trees showing that path did exist on the system. There is many tools to analyze shellbag files like Shellbag Explorer.

  1. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
  • \ComDlg32
  • \LastVistedPidlMRU
  • \OpenSavePidlMRU

MRUstands for most-recently-used. This key can provide information list of recently opened or saved files via Windows Explorer.

  • \RecentDocs Show recent files that have been interacted with in the system, recent files have been opened or saved.
  • \RunMRUContains run prompt history, all the commands which had been typed latterly on the CMD. 
  • \TypedPathsContains file paths that have been written in the windows explorer.
  • \UserAssist - Contains application execution history like the name of the application and how many times it was executed, it is rot13 encoded, we can use any rot 13 decoder.
  1. HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Contains locations of programs that starting automatically with windows

  1. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR - store all USB devices, the serial number of this device and the last write time
  2. HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices Contains the Volume Name of the USB device.
  3. NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoint – we can find the user who used this particular device using the Volume GUID and we can obtain the first time, last time device is connected additional to removal time.
  4. NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoint – we can find the user who used this particular device using the Volume GUID and we can obtain the first time, last time device is connected additional to removal time.
  5. HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\SharesLanmnServer contains some information about shares configured on the system.
  6. HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces – Contains the interfaces of the network and their associated IP address configuration.
  7. HKLM\SYSTEM\CurrentControlSet\Control\FileSystem - If NtfsDisableLastAccessUpdate value set to 0x1 which means that access time stamps are turned OFF by default.

Conclusion:

Registry files is like a goldmine for digital forensics, it contains very useful evidence regarding the case, above-mentioned some of these files. After properly analyzing the Windows Registry files, it will give us a solid understanding about the case.

Source:

https://www.howtogeek.com/370022/windows-registry-demystified-what-you-can-do-with-it/#:~:text=On%20Windows%2010%20and%20Windows,t%20edit%20these%20files%20directly.

https://en.wikipedia.org/wiki/Windows_Registry

https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users

https://www.13cubed.com/downloads/dfir_cheat_sheet.pdf

KVKK, ISO 27001, Bilgi ve İletişim Güvenliği Rehberi, ISO 27701, Bilgi Güvenliği, Siber Güvenlik ve Bilgi Teknolojileri konularında destek ve teklif almak için lütfen

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram