Need for Registry r...
 
Notifications
Clear all

Need for Registry references

11 Posts
3 Users
0 Likes
553 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

I'm curious as to what sort of information analysts and in particular LEOs are looking for in a Windows Registry reference.

Sticking to just 2K+ (including XP and 2K3), I'd like to know

1. What are LEOs and analysts looking for? What format is easiest to use? Spreadsheet? Database?

2. What kinds of things do you want to know about the keys? Where they come from? How/when they're created/updated?

3. Besides MS keys, what other applications are of interest?

4. What references do you use already? Are you maintaining a local list? Do you access online references (if so, can you share the links/URLs)? How credible are your references?

I think that there's a need for consolidation, testing/analysis (to verify and establish credibility), and a way to make it available to everyone who needs it. Perhaps a way to do with would be to have a central location, maintained by one person (or a small group) with requirements for submissions and updates. That way, the list could be available to all, with at least some assurance that a process is followed and updates aren't made lightly.

Thoughts? Submissions?

Harlan

 
Posted : 26/11/2005 5:27 pm
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Harlan,

I'm a bit in the dark as to what is being used at present time by LE and the such but will troll the Internet and forums should I have any registry based inquiries.

The problem however is I'm not 100% sure of the accuracy of the information (with regards to hard to find reg info). Hence a central database maintained by a reputable source (educational institute for example) I think is a great idea especially if it contains key contents and how and why they are created.

An example from my end would be the Userassist key. I can see that once decoded the values represent CLI executables run, links accessed as well as URL's visited. Why they are created I'm not sure…clearing the values and launching different programs I can't see any real rhyme or reason as to why the key is populated. (at least during a cursory test).In terms of what I've found concerning the key…very little, just a blurb on Word Instrumental 2000 mentioning the key
http//support.microsoft.com/default.aspx?scid=kb;en-us;239062. Doesn't tell me much if I'm asked how the values are created.

I for one am interested in knowing that such and such a key contains xx value, but knowing how/why it is created I believe is just as important especially if I may be questioned on this at some point.

In terms of specific keys, with the proliferation of all the USB devices I think many will be interested in any information regarding the use of devices plugged into these ports…which I think you covered awhile back (usbstor & setupapi.log). The PC is becoming more of a Hub for tons of other stuff that at times you never visually see (and may not know were ever attached)….so these values I think are very useful.

I wish I had more time to dedicate to certain aspects of the discipline such as the registry but with a full time job outside of forensics I can only put aside so much time as I try and educate myself in hopes of a future foray into the field.

Andrew-

 
Posted : 26/11/2005 8:18 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Andrew,

> I'm a bit in the dark as to what is being used at present time by LE

Okay, but I didn't limit my query to just LEO. If you're doing forensic analysis, what sorts of things are YOU looking for with regards to the Registry?

> The problem however is I'm not 100% sure of the accuracy of the information

This is a problem across the board. This is why I suggest the use of references, primarily from credible sources, as well as verifiable and reproducible testing.

> In terms of specific keys, with the proliferation of all the USB devices

Like you said yourself…been there, done that.

> I wish I had more time to dedicate to certain aspects of the discipline
> such as the registry

Again, this is why I posted originally, because this seems to be a common thread throughout the community, regardless of whether you are a LEO or not. It's pervasive. There are analysts out there…LEOs and otherwise…who are NOT performing Registry analysis, for no other reason than b/c they know far too little about the Registry.

What would you think of a standardized location (much like what Linus does with Linux kernel development) and a standardized testing procedure. Submissions can be made to the repository, but they must pass certain criteria, to ensure credibility? I don't agree that an academic site would be the most credible, as few academic institutions understand the needs of the analyst in the field.

I'm still open to thoughts and ideas about this…

Harlan

 
Posted : 27/11/2005 2:23 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Okay, so that's it? No one has any thoughts on the subject, nothing to add? No keys and supporting info that you'd like to submit?

 
Posted : 01/12/2005 5:34 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Wow…still nothing.

Is no one out there doing any sort of Registry analysis, or even just correlating one or two values?

 
Posted : 06/12/2005 3:40 am
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Harlan,
I'm in the midst of collecting what I think may be somewhat important registry locations. I have yet to do any real investigative work on them to determine if they are actually useful and if so, how they are created, what creates them and when.

The following is the list of keys that may be interesting. As I said I haven't looked in to them yet or compared against other lists I use already, so I apologize if they are actually useless. Also, if they've been duplicated elsewhere, let me know where, and in what doc so I can save myself some time.

Windows Installer file locations. This may help determining the existance of certain applications. I want to check how long this data is stored, to determine if say..a wiping application was once installed.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer

Last visited MRU.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\L
astVisitedMRU

Mapped network drive MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Network cards installed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Network connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network

OpenSave MRU
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Prefetcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher

Print server MRU
HKEY_CURRENT_USER\Printers\Settings\Wizard\ConnectMRU

Recent Docs MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Run MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Shell Bag MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU]

Special Accounts list
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stream MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Tcp_ip config
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

Telephony
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations

Terminal Services Cache information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Remote Desktop Cache Files

NTP Servers being used
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers

Terminal Services MRU
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default

Time Zone configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Time Zone mapping
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Time Zones

Windows Uninstall locations
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Windows Shutdown information
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows

Winlogon information. Contains information about each SID, the GPO applied and possibly whether or not winlogon has been trojaned.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

WOW Exec configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW

 
Posted : 06/12/2005 6:01 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

hogfly,

Thanks for the list…I've got most of them in my Registry key spreadsheet already.

What I'm looking at providing isn't just a list, but an explanation/description of how the keys are used (ie, conditions under which they are created/modified), as well as credible references that support this information.

In order for a Registry reference to be useful, it has to contain more than just a list of keys. Not only do keys and values need explanations, but information about how they are used, particularly when correlated with other keys or files is extremely important.

Right now, there're people like you and me, with lists of keys. Individually, we know why we want to look at those keys, and what we look for. When I was in an FTE position, I looked at the contents of the HKLM\..\Run key from all systems in the enterprise once a month, so I got pretty good at quickly spotting anomolies. However, there are new people every day being confronted with Registry analysis for the very first time…either as new forensic analysts, or b/c they are encountering Windows systems for the first time. The information needs to be consolidated, and built up, so that it can be of tremendous value to everyone.

I'll give you an example. In your list above, you mention "Telephony", and list a path to a key (??) named "Locations". I'm sure that you know why you're looking at the key, but does anyone else know? Why is this key important? What do the values within the key tell the investigator? How can this information be used with other values from the Registry to paint a picture for the investigator?

Thanks,

Harlan

 
Posted : 06/12/2005 4:59 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Harlan,
Indeed, more than just a list is necessary, and I do intend to complete the list and the contents of the keys so they are useful. All this list was intended to be was flagging potentially revealing keys so I could go back and dig deeper in to the what,when,how of the values. I should have *some* free time in the next month or so to develop the list in to something useful. As for credibility of the resources….know anyone at Microsoft? )

 
Posted : 06/12/2005 6:12 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

> know anyone at Microsoft?

I do…but haven't gotten anything out of them. Kind of like the whole "blood from a stone" thing.

When I sat down and was thinking about the format for a Registry reference, I also thought about how to handle submissions. As far as "credible references" go, two things came to mind (a) links to MS KB articles, and other credible sites (NIST, etc.), and (b) verifiable, repeatable testing. An example of this might be

1. Run the first half of the InControl5 two-phase process.
2. Initiate monitoring via Regmon.
3. Perform a single, atomic action (double-click a JPG image, either on the local hard drive or on a USB-connected removable storage device).
4. Halt Regmon capture.
5. Complete the InControl5 process.
6. Submit Registry key with description, test procedure, and results.

The basic idea is that if someone else uses the testing procedure, and performs the same action as in step 3, they should get the same results.

An additional step might be to query the LastWrite time of the key in question before step 1 and again after step 4.

Sound reasonable?

 
Posted : 06/12/2005 8:21 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

It does sound reasonable. However, what about keys and values that are user configured such as the telephony key(s)? In that case, I'd say step 3 needs to be expanded to include the configuration of a single field (or the entire dialog window) in a user configurable utility.

 
Posted : 06/12/2005 8:32 pm
Page 1 / 2
Share: