Week 8:Win Registry Forensics

Week-8: Windows Registry Forensics

Ali Jaddoa

Ali.Jaddoa@Roehampton.ac.uk


25/26
Week 8:Win Registry Forensics

Today's

  • The Windows Registry
    • Registry Definition
    • How the registry is organised
    • Forensic analysis of the registry
    • Examples of content that can be found in the registry…

25/26
Week 8:Win Registry Forensics

What is the Windows Registry?


25/26
Week 8:Win Registry Forensics

What is the Windows Registry?

A central hierarchical database used in Microsoft Windows Operating Systems to store information that is necessary to configure the system for one or more users, applications and hardware devices.

  • Centralised hierarchical database
  • Built into memory as the system boots

25/26
Week 8:Win Registry Forensics

What is the purpose of the Registry?

It’s a set of system data files that enables:

  • OS to control hardware, software, user information, and overall functionality
  • Contain information about user behavior, loaded software, and attached hardware
  • Allows us to build a basic picture of the everyday usage of a device.
    • Hardware Configurations,
    • User Preferences,
    • Application Settings
    • Network settings

25/26
Week 8:Win Registry Forensics

Question: Is the Windows Registry volatile?


25/26
Week 8:Win Registry Forensics

Windows Registry: Key Facts

width:1OO% center

  • Not a single database : It cannot be easily downloaded.
  • Not meant for human interaction: Designed for software use.
  • Purpose : Stores essential configuration data for applications and system functions.
  • Persistent Settings : Tracks user preferences (e.g., window sizes, recent settings).
  • Continuous Updates : Every change and option set is recorded in the registry.

25/26
Week 8:Win Registry Forensics

Activity: What is the role of the Windows Registry in Cyber Security? Take 5

Category
Malware and Virus Infections ------
User and Password Management ------
Application Security ------
Privacy Protection ------
System Hardening ------

25/26
Week 8:Win Registry Forensics

What is the role of the Windows Registry in Cyber Security?

What is the role of the Windows Registry in Cyber Security?
Malware and Virus Infections Malware modifies registry keys to gain persistence and evade detection. Analysing changes helps in identifying and removing threats.
User and Password Management Stores credentials and authentication settings.
Application Security Controls security policies for installed applications.
Privacy Protection Contains data on browsing history, file usage, and user activities.
System Hardening Configures security settings such as firewall rules, anti-virus protection, and automatic updates.

25/26
Week 8:Win Registry Forensics

Activity: What contents that you may be asked to look for in the Win Reg.


25/26
Week 8:Win Registry Forensics

Windows Registry Forensic Artifacts

What can we find in WinReg?
Recently Used Programs Identify applications that have been opened.
Recently Used Files Track file access history.
Recently Used Media Discover played or accessed media files.
Installed Applications List software present on the system.
Programs Run at Startup Identify auto-starting applications.
Wireless Network Information Extract stored Wi-Fi connections.
Usernames & Networked Computers Find accounts and connected devices.
Time Zone Information Determine system time settings.
USB Device History Review connected external storage devices.
Information Searches (Cortana) Analyse past searches.
Computer Name Identify the system’s registered name.
Web Browsing Activity Review visited websites.
Profile Information Extract user profile details.

25/26
Week 8:Win Registry Forensics

Windows Registry Structure

  • Hierarchical Design: Similar to a directory and file structure.
  • Hive contains a group of keys and values.
    • Root Keys: Contain keys and sub-keys.
      • Keys and Sub-Keys: Store additional sub-keys and values.
        • Values: Hold configuration data used by the system and applications.

25/26
Week 8:Win Registry Forensics

Windows Registry Structure Cont'

width:1OO% center


25/26
Week 8:Win Registry Forensics

1. Hives

Hives are the files that store the content of the registry.

  • Each hive contains a group of keys and values

The standard hives according to Microsoft are:

  • HKEY_CURRENT_CONFIG
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE\SAM
  • HKEY_LOCAL_MACHINE\Security
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\System
  • HKEY_USERS.DEFAULT

25/26
Week 8:Win Registry Forensics

1.2 Where hive files are stored.

Hive Registry Path Hive File Path
HKEY_LOCAL_MACHINE\SYSTEM \Windows\System32\Config\System
HKEY_LOCAL_MACHINE\SAM \Windows\System32\Config\Sam
HKEY_LOCAL_MACHINE\SECURITY \Windows\System32\Config\Security
HKEY_LOCAL_MACHINE\SOFTWARE \Windows\System32\Config\Software
HKEY_LOCAL_MACHINE\HARDWARE Volatile hive
HKEY_LOCAL_MACHINE\SYSTEM\Clone Volatile hive (Win 2K only)
HKEY_USERS\ \Documents and Settings\\Ntuser.dat
HKEY_USERS\_Classes \Documents and Settings\\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat
HKEY_USERS.DEFAULT \Windows\System32\Config\Default

25/26
Week 8:Win Registry Forensics

1.3 Registry Hives and Supporting Files

Registry Hive Supporting Files
HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
HKEY_USERS.DEFAULT Default, Default.log, Default.sav

25/26
Week 8:Win Registry Forensics

2 Root Keys or Keys

Root Keys are at the top of the navigation hierarchy.

  • The Registry is divided into five Root Keys, each containing specific types of data.
Root Key Description
1 HKEY_CLASSES_ROOT (HKCR) Application and file associations.
2 HKEY_CURRENT_USER (HKCU) Currently logged-in user’s profile.
3 HKEY_LOCAL_MACHINE (HKLM) Computer-specific hardware and software configurations.
4 HKEY_USERS (HKU) All actively loaded user profiles.
5 HKEY_CURRENT_CONFIG (HKCC) Current hardware configurations.

25/26
Week 8:Win Registry Forensics

Win Reg: the Whole Pic

width:1OO% center


25/26
Week 8:Win Registry Forensics

Access to Win Reg Hives

1. Online: Using RegEdit

  • Pre-installed on Windows: No additional installation required.
  • Access Methods:
    • Graphical User Interface (GUI)
    • Command Line: Launch using regedit or regedt32.

25/26
Week 8:Win Registry Forensics

2. Offline

width:1OO% center


25/26
Week 8:Win Registry Forensics

One More Example

width:1OO% center


25/26
Week 8:Win Registry Forensics

Registry Value Types

REG_NONE No type.
REG_SZ A string value.
REG_EXPAND_SZ An expandable string value that can contain environment variables.
REG_BINARY Binary data, any arbitrary data.
REG_DWORD / REG_DWORD_LITTLE_ENDIAN A DWORD value, a 32 bit unsigned integer from 0 to 4,294,967,295, little endian.
REG_DWORD_BIG_ENDIAN A DWORD value, a 32 bit unsigned integer from 0 to 4,294,967,295, big endian.
REG_LINK A symbolic link in Unicode.
REG_MULTI_SZ A multi string value, an array of unique strings.
REG_RESOURCE_LIST Resource list.
REG_FULL_RESOURCE_DESCRIPTOR Resource descriptor.
REG_RESOURCE_REQUIREMENTS_LIST Resource requirements list.
REG_QWORD / REG_QWORD_LITTLE_ENDIAN A QWORD value, a 64 bit integer.

25/26
Week 8:Win Registry Forensics

Registry Value Types Cont'

width:1OO% center


25/26
Week 8:Win Registry Forensics

Example-1: Windows Registry Forensic Analysis (WRFA)

  • Computer Name:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName

  • Additional Info: Product Name, Current Build Number, and Registered Owner
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersio


25/26
Week 8:Win Registry Forensics

Example-2: WRFA

  • Collecting Time Zone Information
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

25/26
Week 8:Win Registry Forensics

Example-3: WRFA

  • Collecting Last Shutdown
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows
  • Value is in Hex, so decoding is required

25/26
Week 8:Win Registry Forensics

Example-4: WRFA

  • Wireless SSIDs (Service Set IDentifiers )
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}

25/26
Week 8:Win Registry Forensics

Example-5: WRFA

  • Shares: You will be able to view shared files across the network
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

25/26
Week 8:Win Registry Forensics

Activity: Decrypting UserAssist Entries

Investigate the UserAssist registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

Tasks:

  • What is the purpose of this key?
  • What data does it contain?
  • What does each GUID store?
  • Does it use encryption? If so, what type?
  • Uncover and decode at least one value.

25/26
Week 8:Win Registry Forensics

Example-6: WRFA - USB Remov. Sto. Dev.

Leaves footprints/artifacts in the Windows registry.

  1. PnP Managerdetects the device and queries its descriptor.
  2. Uses the descriptor to locate and load the appropriate driver.
  3. Creates a registry key under
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

25/26
Week 8:Win Registry Forensics

Exmaple 7: WRFA - Mounted Devices

  • Stores information about mounted devices and volumes
    HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
  • USB Storage Tracking:
    • When a USB removable storage device is connected, it is assigned a drive letter.
    • This assignment is recorded in the MountedDevices key.

25/26
Week 8:Win Registry Forensics

Example 8: WRFA Mounted Devices

  • If a device is assigned drive letter D:, the entry in the registry appears as: \DosDevices\D:

25/26
Week 8:Win Registry Forensics

Case Study: Digital Forensics Investigation

(Chad Steel: Windows Forensics, Wiley)

Investigation Step Findings
Allegation Employee accused of copying confidential data onto a DVD.
Initial Check No DVD burner was issued or found.
Laptop Analysis Registry analysis conducted.
USB Device Found Entry for PLEXTOR DVDR PX-708A detected.
Software Found Nero - Burning ROM registry key identified.
Further Investigation Nero compilation files (.nrc) and ISO image files discovered.
File Contents DVD-format and AVI-format copyrighted movies found.
Conclusion No evidence of company data being burned, but the laptop was used to burn copyrighted material, and the employee had lied.
Steel, C. (2006). Windows forensics: The field guide for conducting corporate computer investigations. John wiley & sons.

25/26
Week 8:Win Registry Forensics

On Your Own Time

Investigate the Following:

  • Can the WinReg settings be modified or edited?
  • Explore the purpose and impact of these registry settings:
    • ClearPageFileAtShutdown
    • DisableLastAccess
    • AutoRun

25/26
Week 8:Win Registry Forensics

Conclusion

  • The Windows Registry holds valuable system data but can be complex and overwhelming.
  • Tools like Autopsy, FTK Registry Viewer and RegRipper simplify registry analysis.
  • Skilled forensic investigators are required for expert registry analysis.
  • Understanding the registry provides powerful capabilities for system configuration and forensic investigations.
  • Both analysts and adversaries can leverage registry knowledge to manipulate Windows systems.

For more details, download Complete Guide to Windows 10 Registry Tweaks from here or visit this


25/26
Week 8:Win Registry Forensics

Resources

Microsoft Resources

Microsoft provides extensive documentation and support for working with the Windows Registry:


25/26
Week 8:Win Registry Forensics

RegRipper Resources

RegRipper is a powerful forensic tool for extracting and analyzing Windows Registry data. Below are resources to help you get started:


25/26
Week 8:Win Registry Forensics

Lab


25/26

![width:1OO% height:500px center](../../figures/Win_viewer.png)