Intro
Computer Forensics is a sub-field of cybersecurity, that pertains to gathering evidence of usage of a computer. Generally, it would fall under the larger field of Digital Forensics, dealing with all kinds of digital devices, from examination and recovery to analysis of the data found within them.
Digital forensics is used, and needed, widely, from the private sector – where you might want to analyze your organization internally, or if you, for example, are doing incident response/analysis.
In a legal sense, digital forensics can be used to support some hypotheses in a civil/criminal case – or vice versa.
There are even cases that went cold for years before actually being solved through the techniques used in this field. One famous example is the BTK serial killer case that has gone cold for years, but the perpetrator met his downfall once he started taunting the authorities by sending letters to them.
Eventually, the police managed to recover a deleted MS Word document from the drive, analyze the metadata of the document, pinpoint the killer, and finally arrest him!
From the Wikipedia page, that can be found here:
Police found metadata embedded in a deleted Microsoft Word document that was, unknown to Rader, still stored on the floppy disk.[54] The metadata contained the words “Christ Lutheran Church”, and the document was marked as last modified by “Dennis”.[55] An Internet search determined that a “Dennis Rader” was president of the church council.[52] When investigators drove by Rader’s house, a black Jeep Cherokee—the type of vehicle seen in the Home Depot surveillance footage—was parked outside.[56] This was strong circumstantial evidence against Rader, but they needed more direct evidence to detain him.[57]
As you can see, computer forensics can be quite useful, and can provide us with a lot of insight on what has happened on/to our computer systems. Connecting the dots further, it can even help us ascertain what someone might have done – as illustrated in the example above.
Windows
This is de facto the most used Desktop OS right now – 75% of the market share, to be precise. That’s mostly why I intend to focus on Windows forensics but will talk about Linux forensics in the future as well.
Why is the Windows Registry important from a forensic perspective?
The Registry in Windows is practically the Database for the OS itself. It contains all the configuration data for the system – and is organized in a hierarchical way.
From MS docs:
The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and service that run on Windows. The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values.
This means that the registry holds information about the software, hardware, and even the user. This includes data about recently used programs or files as well as the devices that may have or are connected to the system. You probably can infer how this can be of great value to a forensic investigator.
The registry on your Windows systems comprises of these five root keys:
- HKEY_CURRENT_USER
- HKEY_HKEY_USERS
- HKEY_LOCAL_MACHINE
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER – Contains the root of the configuration information for the user who is currently logged on. The user’s folders, screen colors, Control Panel settings are stored here. This information is associated with the user’s profile. This key is sometimes abbreviated as HKCU.
HKEY_USERS – Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as HKU.
HKEY_LOCAL_MACHINE – Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as HKLM.
HKEY_CLASSES_ROOT – Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as HKCR. Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under HKEY_CURRENT_USER\Software\Classes instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under HKEY_LOCAL_MACHINE\Software\Classes. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE\Software\Classes. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE\Software\Classes.
HKEY_CURRENT_CONFIG – Contains information about the hardware profile that is used by the local computer at system startup.
These root keys, combined with values and subkeys, are what make the Registry Hive.
You can check this by opening regedit.exe to look around the registry – directories you see are the Registry Keys, and the values are whatever data is stored within – as mentioned above.
Access Hives Offline
Please note that the above is true if you’re accessing a live system – through the in-built utility regedit.exe. But, if you only have the disk image, you will go on about this in a slightly different way. First, you should now that the registry hive is located on the disk in the C:\Windows\System32\Config directory.
Let me just digress here for a bit. Why is this important? Well, in an investigation you would typically clone the disk first – hence the disk image – and you would conduct your investigation on the clone. You don’t want to mess up your potential evidence by working on the original. As mentioned here, even though cloning is a straightforward process in theory, in practice it can be quite different.
The goal is simple – you want to clone one disk to another. The drive you want to clone is typically removed from the computer and connected to another computer or a cloning device. However, it is vital to have some sort of control over the writing process i.e. a hardware write block which is placed between the cloned (source disk) and the destination disk (one we’re cloning to). You need this, because you don’t want to accidentally mess up your investigation by writing data to the cloned/source disk.
You should also forensically clean the destination disk beforehand. Forensic imaging tools (FTK Imager, Autopsy, etc.) will usually create some sort of proof that the cleaning had happened. Finally, when all the preparations have been made successfully and the process starts, upon successfully cloning the disks you would have matching hashes for the source and the clone – i.e. your proof that you have an exact clone of the disk that’s investigated.
I will mention the tools above, and others, in my future articles on this topic, but for now let me get back on track and talk about the locations of the aforementioned hives on the respective disk(s).
These hives are:
- DEFAULT (mounted at – HKEY_USERS\DEFAULT)
- SAM (mounted at – HKEY_LOCAL_MACHINE\SAM)
- SECURITY (mounted at – HKEY_LOCAL_MACHINE\Security)
- SOFTWARE (mounted at – HKEY_LOCAL_MACHINE\Software)
- SYSTEM (mounted at – HKEY_LOCAL_MACHINE\System)
Aside from these hives, there are two more hives that keep information about the user and can be found in the User directory. The path is found at C:\Users\<username> (this is true for Windows 7 and above versions of the Windows OS)
The two hives are these:
- NTUSER.DAT (mounted at HKEY_CURRENT_USER after the user would log in)
- USRCLASS.DAT (mounted at HKEY_CURRENT_USER\Software\CLASSES)
NTUSER.DAT is found in the C:\Users\<username> and the USRCLASS.DAT is found in the C:\Users\<username>\AppData\Local\Microsoft\Windows. Please note that both of these hives are hidden.
NTUSER.DAT
USRCLASS.DAT
Finally, the Amcache hive, which is quite important in the Windows OS since it keeps information about programs that have been run recently. It is located at C:\Windows\AppCompat\Programs\Amcache.hve
Amcache Hive
Conclusion
To conclude, I covered some basics about Computer/Digital Forensics in general, as well as the Windows OS Registry Hive. This is exactly what threat actors exploit in numerous ways, and we will be looking at how to ascertain what they did to our devices in the next article. I will also talk about the mentioned forensic tools such as Autopsy, FTK Imager, and others. (Linux forensics will be covered too!)
Stay tuned.
Cover image by Immo Wegmann
#registry #forensics #windows
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
