Archives For Windows Registry

The GUI control panel is a long-standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features.  It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes).  From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:

  • Firewall changes made for unauthorized software (firewall.cpl)
  • User account additions / modifications (nusrmgr.cpl)
  • Turning off System Restore / Volume Shadow Copies (sysdm.cpl)
  • System time changes (timedate.cpl)
  • Interaction with third-party security software applets

While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time.  Context provided by other artifacts may provide further information.  As an example, imagine you were reviewing control panel usage on a system and came across Figure 1.

Brutus Password Cracker

Figure 1: Sample Userassist Output

Context is critical, and, while access to the Windows Security Center might not normally be particularly interesting, the fact that it was accessed immediately following the execution of a known (router) password cracking tool might make all the difference.

Continue Reading…

New anti-forensics tool SetRegTime can change Registry last write times. | http://t.co/atWsf4sE via @
@chadtilbury
Chad Tilbury

 

Harlan Carvey discusses the ramifications of Windows Registry anti-forensics on his blog:  http://windowsir.blogspot.com/2012/08/setregtime.html.

You can find SetRegTime here: http://code.google.com/p/mft2csv/wiki/SetRegTime

Excellent guide to Windows 8 forensic artifacts. Nice work @! http://t.co/pY0l3IlE
@chadtilbury
Chad Tilbury

 

UPDATE:  A new version of the Windows 8 Forensic Guide can be found here:  http://propellerheadforensics.com/

Leveraging the Application Compatibility Cache in ForensicInvestigations (Whitepaper) | http://t.co/O2PFBjm9 #DFIR
@chadtilbury
Chad Tilbury

 

UPDATE: A new Registry Ripper plugin, appcompatcache.pl, was written by Harlan Carvey based on this research.

UPDATE 2: The Volatility memory analysis framework now has a plugin, shimcache.py, for finding and parsing the Application Compatibility Cache from a memory image.

Handy TechNet article describing each of the services installed in the Windows Server & Wkstn family: http://t.co/q8EaTaHX
@mikepilkington
Mike Pilkington

Note: This post originally appeared on the SANS Forensics blog

As Windows Registry artifacts go, the “Shellbag” keys tend to be some of the more complicated artifacts we have to decipher.  But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge.  Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes.   Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.

Continue Reading…

Digital Forensics Solutions: Interesting Registry Backup Feature of Windows 7, Vista, and Server 2008: http://bit.ly/gKZGYC
@chadtilbury
Chad Tilbury

Note: This post originally appeared on the SANS Forensics blog

Talking with a colleague the other day reminded me of just how nuanced many of the forensic artifacts are that we rely upon.  Nowhere is this more true than in the Windows Registry.  With no specification and even Microsoft products not following any data storage methodology, it is about as haphazard and irregular as they come.  As an example, let’s look at the OpenSaveMRU and LastVisitedMRU Registry keys.  Both have been documented for years and are frequently cited in examinations.  That being said, I would bet many examiners have not investigated the keys deeply enough to understand everything they are telling us.  Here is a quick rundown on what we can glean from these keys.

Continue Reading…

Note: This post originally appeared on the SANS Forensics blog

In Part 1 of this post, we explored defragmenter usage in Windows XP, specifically trying to gain more information about user activity when we see the following in the Prefetch directory:

Figure 1: Defrag entries shown from C:WindowsPrefetch directory
Figure 1: Defrag entries shown from C:\\Windows\\Prefetch directory

Vista made many file system changes, modifying some of  the XP artifacts we relied upon in Part 1 and adding some artifacts that can greatly simplify our investigation.  Importantly, Vista ships with a default scheduled task for a full volume defragmentation every Wednesday evening at 1am.    This is in addition to the limited defrags conducted by the Prefetch / Superfetch components.   Thus we should expect to see even more defragmenter activity on a Vista machine.  Taking this into consideration, we will perform the same analysis that we did for Windows XP.

We will focus on the two primary methods a user can invoke the Windows Defragmenter tool:

  1. Running defragmenter from a graphical user interface (GUI)
  2. Running defrag from the command line using defrag.exe

Continue Reading…

I have seen the following Windows Prefetch entries in nearly every Windows XP / Vista machine that I have reviewed over the past several years. Their existence always reminds me of the imperfect nature of information gained via individual artifacts. Does this mean that a user ran the Microsoft Defragmenter application on July 16, 2009 at 1:19PM? Or was the defragmenter started automatically by Windows? The defragmenter tool has been used very effectively as an anti-forensic tool since it was first introduced. In cases where data spoliation could be important, it is critical for the examiner to be able to identify any overt actions by a user. Complicating this is that starting with Windows XP, the operating system conducts limited defragmentation approximately every three days. [1] This post seeks to identify forensic artifacts which can help us determine if a user initiated the defrag application.

 

Figure 1: Defrag entries in C:\Windows\Prefetch directory

Figure 1: Defrag entries in C:\Windows\Prefetch directory

We will focus on two primary methods a user can invoke the Windows Defragmenter tool:

  1. Running defragmenter from a graphical user interface (GUI)
  2. Running defrag from the command line using defrag.exe

 

Continue Reading…