±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 73

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Need for Registry references

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

keydet89
Senior Member
 

Need for Registry references

Post Posted: Nov 26, 05 18:27

I'm curious as to what sort of information analysts and in particular LEOs are looking for in a Windows Registry reference.

Sticking to just 2K+ (including XP and 2K3), I'd like to know:

1. What are LEOs and analysts looking for? What format is easiest to use? Spreadsheet? Database?

2. What kinds of things do you want to know about the keys? Where they come from? How/when they're created/updated?

3. Besides MS keys, what other applications are of interest?

4. What references do you use already? Are you maintaining a local list? Do you access online references (if so, can you share the links/URLs)? How credible are your references?

I think that there's a need for consolidation, testing/analysis (to verify and establish credibility), and a way to make it available to everyone who needs it. Perhaps a way to do with would be to have a central location, maintained by one person (or a small group) with requirements for submissions and updates. That way, the list could be available to all, with at least some assurance that a process is followed and updates aren't made lightly.

Thoughts? Submissions?

Harlan  
 
  

andy1500mac
Senior Member
 

Re: Need for Registry references

Post Posted: Nov 26, 05 21:18

Harlan,

I'm a bit in the dark as to what is being used at present time by LE and the such but will troll the Internet and forums should I have any registry based inquiries.

The problem however is I'm not 100% sure of the accuracy of the information (with regards to hard to find reg info). Hence a central database maintained by a reputable source (educational institute for example) I think is a great idea especially if it contains key contents and how and why they are created.

An example from my end would be the Userassist key. I can see that once decoded the values represent CLI executables run, links accessed as well as URL's visited. Why they are created I'm not sure...clearing the values and launching different programs I can't see any real rhyme or reason as to why the key is populated. (at least during a cursory test).In terms of what I've found concerning the key...very little, just a blurb on Word Instrumental 2000 mentioning the key
support.microsoft.com/...us;239062. Doesn't tell me much if I'm asked how the values are created.

I for one am interested in knowing that such and such a key contains xx value, but knowing how/why it is created I believe is just as important especially if I may be questioned on this at some point.

In terms of specific keys, with the proliferation of all the USB devices I think many will be interested in any information regarding the use of devices plugged into these ports…which I think you covered awhile back (usbstor & setupapi.log). The PC is becoming more of a Hub for tons of other stuff that at times you never visually see (and may not know were ever attached)....so these values I think are very useful.

I wish I had more time to dedicate to certain aspects of the discipline such as the registry but with a full time job outside of forensics I can only put aside so much time as I try and educate myself in hopes of a future foray into the field.



Andrew-  
 
  

keydet89
Senior Member
 

Re: Need for Registry references

Post Posted: Nov 27, 05 03:23

Andrew,

> I'm a bit in the dark as to what is being used at present time by LE

Okay, but I didn't limit my query to just LEO. If you're doing forensic analysis, what sorts of things are YOU looking for with regards to the Registry?

> The problem however is I'm not 100% sure of the accuracy of the information

This is a problem across the board. This is why I suggest the use of references, primarily from credible sources, as well as verifiable and reproducible testing.

> In terms of specific keys, with the proliferation of all the USB devices

Like you said yourself...been there, done that.

> I wish I had more time to dedicate to certain aspects of the discipline
> such as the registry

Again, this is why I posted originally, because this seems to be a common thread throughout the community, regardless of whether you are a LEO or not. It's pervasive. There are analysts out there...LEOs and otherwise...who are NOT performing Registry analysis, for no other reason than b/c they know far too little about the Registry.

What would you think of a standardized location (much like what Linus does with Linux kernel development) and a standardized testing procedure. Submissions can be made to the repository, but they must pass certain criteria, to ensure credibility? I don't agree that an academic site would be the most credible, as few academic institutions understand the needs of the analyst in the field.

I'm still open to thoughts and ideas about this...

Harlan  
 
  

keydet89
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 01, 05 18:34

Okay, so that's it? No one has any thoughts on the subject, nothing to add? No keys and supporting info that you'd like to submit?  
 
  

keydet89
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 06, 05 04:40

Wow...still nothing.

Is no one out there doing any sort of Registry analysis, or even just correlating one or two values?  
 
  

hogfly
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 06, 05 07:01

Harlan,
I'm in the midst of collecting what I think may be somewhat important registry locations. I have yet to do any real investigative work on them to determine if they are actually useful and if so, how they are created, what creates them and when.

The following is the list of keys that may be interesting. As I said I haven't looked in to them yet or compared against other lists I use already, so I apologize if they are actually useless. Also, if they've been duplicated elsewhere, let me know where, and in what doc so I can save myself some time.

Windows Installer file locations. This may help determining the existance of certain applications. I want to check how long this data is stored, to determine if say..a wiping application was once installed.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer

Last visited MRU.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\L
astVisitedMRU

Mapped network drive MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Network cards installed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Network connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network

OpenSave MRU
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Prefetcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher

Print server MRU
HKEY_CURRENT_USER\Printers\Settings\Wizard\ConnectMRU

Recent Docs MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Run MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Shell Bag MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU]

Special Accounts list
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stream MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Tcp_ip config
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

Telephony
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations

Terminal Services Cache information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Remote Desktop Cache Files

NTP Servers being used
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers

Terminal Services MRU
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default

Time Zone configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Time Zone mapping
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Time Zones

Windows Uninstall locations
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Windows Shutdown information
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows

Winlogon information. Contains information about each SID, the GPO applied and possibly whether or not winlogon has been trojaned.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

WOW Exec configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW  
 
  

keydet89
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 06, 05 17:59

hogfly,

Thanks for the list...I've got most of them in my Registry key spreadsheet already.

What I'm looking at providing isn't just a list, but an explanation/description of how the keys are used (ie, conditions under which they are created/modified), as well as credible references that support this information.

In order for a Registry reference to be useful, it has to contain more than just a list of keys. Not only do keys and values need explanations, but information about how they are used, particularly when correlated with other keys or files is extremely important.

Right now, there're people like you and me, with lists of keys. Individually, we know why we want to look at those keys, and what we look for. When I was in an FTE position, I looked at the contents of the HKLM\..\Run key from all systems in the enterprise once a month, so I got pretty good at quickly spotting anomolies. However, there are new people every day being confronted with Registry analysis for the very first time...either as new forensic analysts, or b/c they are encountering Windows systems for the first time. The information needs to be consolidated, and built up, so that it can be of tremendous value to everyone.

I'll give you an example. In your list above, you mention "Telephony", and list a path to a key (??) named "Locations". I'm sure that you know why you're looking at the key, but does anyone else know? Why is this key important? What do the values within the key tell the investigator? How can this information be used with other values from the Registry to paint a picture for the investigator?

Thanks,

Harlan  
 

Page 1 of 2
Page 1, 2  Next