Digital forensics

Windows registry analysis with RegRipper – A ‘hands-on’ case study

Every analysis begins with specific goals in mind. As a forensics investigator, you are expected to know the type and importance of information you are looking for while investigating a computer crime. Computer forensics investigations involving a Windows box rely heavily on meticulous inspection of the keys, subkeys and relevant values that exist within the Windows registry. You are expected to know what you are looking for in the registry, where it is located and how it will help your investigation. 'RegRipper' is an easy-to-use tool that makes the process of extracting information from the registry easier by providing pre-written Perl 'plugins' (details in the previous paper). In this paper, we experiment further with the Windows registry (Windows XP and Windows 7) using more RegRipper plugins and take a quick look at RegRipper's graphical interface.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Role: Computer Forensics Investigator

Purpose: Locate inculpatory or exculpatory evidence in the disk so that it may be presented in the court of law.

Assumptions: It is assumed that you have read the previous paper on 'Windows Registry Forensics using RegRipper' and have access to the Windows XP and/or Windows 7 registry hive files.

Evidence Disk: You can grab the EnCase image of the Greg Schardt hacking case here: part1 and part2.

Tools used: You can download RegRipper for Linux here, and RegRipper for Windows here.

Tasks performed: During the course of this investigation, you will be required to perform the following tasks:

• Determining whether auditing is enabled
• Examining Windows Shellbags
• Determining the information stored in banners
• Extracting information from the SAM hive using 'samparse'
• Examining the Browser Helper Objects
• Determining if the 'NukeOnDelete' value is set
• Determining the presence of Trojans such as clampi, brisv, etc
• Determining the common dialogues available
• Determining the remote systems that the suspect connected to
• Determining the default browser in use
• Determining the Google Toolbar search history
• Determining the 'TypedPaths'
• Determining the wireless access points information
• Determining WinZip information
• Registry analysis using RegRipper's graphical interface

Some facts that you should know:

• As a forensics investigator, you will not be interacting with the Windows registry using the standard 'regedit' (Registry Editor) that ships with Windows. You will mostly be working over dormant registry hives that are nothing more than 'files' resident in the evidence disk drive.
• Information relevant to specific users of the system is located in the 'NTUSER.DAT' file.
• The hives files (SAM, security, software and system) can mostly be located in the 'Windows/System32/config/' folder.
• Some of these hives are 'volatile' and the contents are lost as soon as power is interrupted. These include: HKEY_CURRENT_USER, HKEY_LOCAL_MACHINEHARDWARE, etc.
• Registry contains multifarious keys and subkeys. Each of these keys contains: Values, Data Type and Data.

Windows Registry Analysis

We begin with analyzing the Windows XP registry first and then move on to experiment with Windows 7 registry.

Determining whether auditing is enabled

As forensics investigators, we are interested to know if security audits are enabled on the suspect's system. We will obtain this information using the 'auditpol' (Audit Policy) plugin in RegRipper:

perl rip.pl -r /mnt/forensics/WINDOWS/system32/config/SECURITY -p auditpol

Figure 1

Notice that auditing is disabled on the suspect's computer [Figure 1].

Examining windows shellbags

Recall that in Windows XP there is a setting under 'Folder Options' that allows the system to 'Remember each folder's view settings'. This particular setting is stored in the registry at the following paths:

• HKCUSoftwareMicrosoftWindowsShellBags
• HKCUSoftwareMicrosoftWindowsShellBagMRU
• HKCUSoftwareMicrosoftWindowsShellNoRoamBags
• HKCUSoftwareMicrosoftWindowsShellNoRoamBagMRU

The information revealed by this key is of interest to us since Shellbags store information about the folders (such as size, icon, position, etc) even after the folder has been removed. This means that we are able to gather information about mounted volumes, files that have been deleted, user modifications, etc. It can also reveal information about the use of Windows Explorer to access remote shares and removable storage devices. The 'bagtest' plugin in RegRipper is used to test these bagMRU keys in the registry:

perl rip.pl -r /mnt/forensics/Documents and Settings/Mr. Evil/NTUSER.DAT -p bagtest

Figure 2

Determining the information stored in banners

A banner is a message that is displayed to the user before he/she logs on to the system. These are used by organizations to give legal notice to the users regarding the ethical use of its systems. This information is stored in the following registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon

We use the 'banner' plugin in RegRipper to obtain the banner information:

perl rip.pl -r /mnt/forensics/WINDOWS/system32/config/software -p banner

Figure 3

Notice that in this particular case, the suspect's system does not contain any banners [Figure 3].

Extracting information from the SAM hive using 'samparse'

The 'samparse' plugin in RegRipper is used to extract both 'user' and 'group' information from the 'SAM' hive file.

Figure 4

Note: Here RID is the specific Windows user's 'relative identifier'. The Administrator account has an RID value of 500 and the Guest account has an RID value of 501 [Figure 4].

Notice that the Login Count for both the Administrator and the Guest account is '0' which indicates these accounts are not in use on this system [Figure 4].

Figure 5

Notice that 'Mr. Evil' is the account that is in use on this system (Login Count = '15'). Also notice the last login date and the account creation date. The RID for this user is '1003' [Figure 5].

Examining the browser helper objects

Browser Helper Objects (BHOs) are DLL files that Internet Explorer can use to provide additional functionality to the user. BHOs can help in customizing the browser (much like the add-ons on Firefox). These BHOs are only loaded when IE is launched. These BHOs may also be targeted by Malware to interfere with the user's online activities. We use the 'bho' plugin in RegRipper to inspect these:

perl rip.pl -r /mnt/forensics/WINDOWS/system32/config/software -p bho

Figure 6

Determining if the 'NukeOnDelete' value is set

'NukeOnDelete' allows one to disable the 'Recycle Bin' function. This means that when a file or folder is selected and the 'delete' key is pressed, the file or folder will be permanently deleted (instead of going to the Recycle Bin). A Windows user can set this feature by going to "Recycle Bin Properties" and then checking "Do not move files to the Recycle Bin. Remove files immediately when deleted". 'NukeOnDelete' can found at the following registry location:

MicrosoftWindowsCurrentVersionExplorerBitBucket

We check to see if the 'NukeOnDelete' bit is set using the 'bitbucket' plugin in RegRipper:

perl rip.pl -r /mnt/forensics/WINDOWS/system32/config/software -p bitbucket

Figure 7

Notice that in this case the NukeOnDelete bit is not set [Figure 7].

Determining the presence of Trojans such as clampi, brisv, etc

Specific plugins in RegRipper allow the investigator to look for the presence of certain viruses or Trojans in the system. These malware are known to modify certain keys in the Windows registry and these plugins check for such modifications to confirm the existence of the malware. In this example, we check for the presence of the 'Ilomo/Clampi' Trojan that is known to create 'Microsoft9593275321' key in the Software hive [1]. We use the 'clampi' plugin in RegRipper for this purpose:

perl rip.pl -r /mnt/forensics/Documents and Settings/Mr. Evil/NTUSER.DAT -p clampi

Figure 8

Notice that this system is not found to be infected by the 'Ilomo/Clampi' Trojan [Figure 8].

Determining the common dialogues available

The common dialogues available on a Windows box are reflected by the 'ComDlg32' key in the registry. The 'OpenSaveMRU' can be found under the 'ComDlg32' key. This 'OpenSaveMRU' is used for tracking the files that are accessed via the 'Open and Save As' common dialogue [1]. In simple words, when the user opens an application (such a 'MS Word') on the Windows box, he/she clicks on 'File' menu item which presents the drop down option of 'Open and Save As'. So this key and its relevant subkeys can be used to track past files that were opened or saved by the suspect.

We use the 'comdlg' plugin in RegRipper to obtain this information:

perl rip.pl -r /mnt/forensics/Documents and Settings/Mr. Evil/NTUSER.DAT -p comdlg32

Figure 9

Notice that the suspect has been saving set ups of some 'hacking' related tools (Ethereal, WinPcap, Net Stumbler, Look@LAN Network Monitor, etc) [Figure 9].

Determining the remote systems that the suspect connected to

Windows maintains information about the systems that a specific user of this box connected to or whether it belonged to a particular Local Area Network. This information is stored in the 'Computer Descriptions' key in the registry. This key is found at the following location in the registry:

HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComputerDescriptions

We use the 'compdesc' plugin in RegRipper to pull this information from the registry:

perl rip.pl -r /mnt/forensics/Documents and Settings/Mr. Evil/NTUSER.DAT -p compdesc

Figure 10

Notice the systems that the suspect connected to. These can be added to the scope of the investigation if needed [Figure 10].

Determining the default browser in use

The 'defbrowser' plugin in RegRipper is capable of extracting information about the default browser that is in use on this system:

perl rip.pl -r /mnt/forensics/WINDOWS/system32/config/software -p defbrowser

Figure 11

Notice that the suspect was using 'Internet Explorer' as the default browser on this box [Figure 11].

Determining the Google Toolbar search history

To gather information about web searching habits of the suspect, we leverage the Google Toolbar in the browser (if available) which is capable of storing the user's search history. We use the 'gthist' plugin in RegRipper for this purpose:

perl rip.pl -r /mnt/forensics/Documents and Settings/Mr. Evil/NTUSER.DAT -p gthist

Figure 12

Notice that we could not obtain 'Google Toolbar Search History' or the 'Google Toolbar whitelist values'. This may indicate that Google Toolbar is not installed on this box [Figure 12].

RegRipper Analysis for a Windows 7 box

Until now, we have been extracting information from the registry of a Windows XP box according to our case (see case details here). Now we extract information from a Windows 7 registry. There are slight differences in the structure of the registry in the various versions of Windows. This fact affects the successful execution of a plugin.

The following examples are meant to exhibit that registry analysis using RegRipper on a Windows 7 box is not different from that on a Windows XP. This is because the RegRipper plugins offer us certain abstraction when it automatically locates information in the Windows registry. However, a plugin (Perl script) in RegRipper that is written for a Windows XP box may or may not work correctly on a Windows 7 box. It depends on 'where' exactly in the registry this plugin is pulling the information from, and whether this location of the key is common between the hives of a Windows XP and Windows 7 (or Windows Vista or Windows 8) box.

Determining the 'TypedPaths'

The TypedPaths key is in the user's 'NTUSER.DAT' hive file. It stores information about the folder paths that this user typed in the Windows Explorer Address Bar in the system. We obtain information from this key using the 'typedpaths' plugin as follows:

perl rip.pl -r /media/5CBC1A50BC1A24D4/Users/intellikid/NTUSER.DAT -p typedpaths

Figure 13

Determining the wireless access points information

To determine which wireless access points the suspect has connected to, we use the RegRipper plugin 'vista_wireless' as follows:

perl rip.pl -r /media/5CBC1A50BC1A24D4/Windows/System32/config/SOFTWARE -p vista_wireless

Figure 14

Notice that we have obtained a list of wireless access points that the suspect has connected with ('1337Day', 'Connectify-me', 'dlink', etc) and the time and date of last write [Figure 14].

Note: During our experimentation, we found that most of the plugins for Windows Vista worked for Windows 7 as well (as in this case).

Determining WinZip information

If the suspect's computer has WinZip utility installed then we can use the 'winzip' plugin in RegRipper for gathering information about compressed archives that were accessed by the suspect using the WinZip program:

perl rip.pl -r /media/5CBC1A50BC1A24D4/Users/intellikid/NTUSER.DAT -p winzip

Figure 15

Notice that in this case the user has extracted 'Call of Duty 4: Modern Warfare' to 'D:Games', a 'custom ROM' to 'Desktop', etc [Figure 15].

Note: If you do not have information on which hive file is required by a specific plugin, you need to view the Perl script in a text editor of your choice (vi, nano, leafpad, notepad, etc). You will notice a mention of the hive file that the script uses. For example, the 'winvnc' plugin [Figure 16] requires 'NTUSER.DAT' [Figure 17].

Figure 16

Figure 17

Registry analysis using RegRipper's graphical interface

RegRipper comes with a GUI that makes the process of ripping the registry easier. You need to browse for the 'hive' file (such as 'SAM', 'system, 'security', etc) and the text file where the results of the "ripping" process will be stored.

Figure 18

As an example, we load 'NTUSER.DAT' file from our evidence disk [Figure 18], select the 'ntuser' profile in RegRipper and 'rip it' [Figure 19].

Figure 19

This causes RegRipper to 'rip' the 'NTUSER.DAT' file using all available relevant plugins. The result will be stored in the 'Report File' along with a 'Log file'. The log file contains a log of the success/failure of the plugins executed [Figure 20].

Figure 20

Conclusion

Although registry analysis offers vital information to forensics investigators, it can become complex. As Harlan Carvey rightly pointed out in his book Windows Registry Forensics [1], there are two primary reasons why Windows registry analysis is not easy: 1. The Windows registry is not very well understood. 2. The Windows registry structure changes considerably across different versions of Windows. If an analyst is successful in documenting procedures to rip specific registry keys and relevant values, these may become obsolete as a newer of the application or the Operating System is released.

Overall, the process of registry analysis is governed by the goal of the forensics investigation. How you use the information given by the analysis depends on the case that you are investigating. In any case, insouciant attitude towards the Windows registry will lead to the collection of fragmentary information during investigations. For a thorough analysis during complex investigations, it is incumbent that you are familiar with the subtleties of the Windows registry structure.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Sources

Harlan A. Carvey, "Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry", Syngress, 2011.