whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Forensics/Windows Registration.md

7.0 KiB
Raw Blame History

Windows Registry

Regedit Keys

  • HKEY_CURRENT_USER (HKCU), inside HKU
  • HKEY_USERS (HKU)
  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
    • HKEY_CURRENT_USER\Software\Classes for settings of interactive user
    • HKEY_LOCAL_MACHINE\Software\Classes to change default settings
  • HKEY_CURRENT_CONFIG

Paths

  • C:\Windows\System32\Config

    • Default -> HKEY_USERS\DEFAULT
    • SAM -> HKEY_LOCAL_MACHINE\SAM
    • SECURITY -> HKEY_LOCAL_MACHINE\Security
    • SOFTWARE -> HKEY_LOCAL_MACHINE\Software
    • SYSTEM -> HKEY_LOCAL_MACHINE\System

  • C:\Users\<username>\

    • NTUSER.DAT -> HKEY_CURRENT_USER , hidden file

  • C:\Users\<username>\AppData\Local\Microsoft\Windows

    • USRCLASS.DAT -> HKEY_CURRENT_USER\Sofware\CLASSES, hidden file

  • C:\Windows\AppCompat\Programs\Amcache.hve

Transaction Logs

  • Transaction <name of registry hive>.LOG of the registry hive

Saved inside the same directory which is C:\Windows\System32\Config, as the hive which was altered.

Backups

  • Saved every ten days
  • Look out for recently deleted or modified keys
  • C:\Windows\System32\Config\RegBack

Data Acquisition

Multiple tools with their own strengths and weaknesses should be chosen to acquire the registry data, no matter if it is a live or a copied acquisition. Commonly used tools are the following ones.

  • Autopsy
  • FTK Imager, does not copy Amcache.hve when Obtain Protected Files has been chosen, copy them manually as an export from the file tree of the chosen image

KAPE, preserves directory tree.

Following parts of EZTools should be taken note of.

  • Registry Viewer
  • Zimmerman's Registry Explorer, uses transaction logs as well
  • AppCompatCache Parser
  • RegRipper, cli and gui

System Information

  • OS Version -> SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • Computer Name -> SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
  • Time Zone SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • Network Interfaces -> SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
  • Past connected networks -> SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged and SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
  • Services -> SYSTEM\CurrentControlSet\Services
    • Service will start at boot with start key value 0x02
  • Users, SAM -> SAM\Domains\Account\Users

Control Sets

  • ControlSet001 -> last boot

  • ControlSet002 -> last known good

  • HKLM\SYSTEM\CurrentControlSet -> live

  • Can be found under:

    • SYSTEM\Select\Current shows the used control set
    • SYSTEM\Select\LastKnownGood

Autostart Programs

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Run program on login for the current user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Run program on login for any user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Run program on login once for the current user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run program for on login once for any user

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Recent Files

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, e.g. xml, pdf, jpg
  • Office files -> NTUSER.DAT\Software\Microsoft\Office\VERSION, NTUSER.DAT\Software\Microsoft\Office\15.0\Word
  • Office 365 -> NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU

ShellBags

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Last Open/Saved/Visited Dialog MRUs

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Explorer Address/Search Bars

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

User Assist

  • GUI applications launched by the user
  • NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Shim Cache

  • Application Compatibility, AppCompatCache
  • SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
  • Use AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>

AmCache

  • Information about recently run applications on the system
  • C:\Windows\appcompat\Programs\Amcache.hve
  • Last executed app -> Amcache.hve\Root\File\{Volume GUID}\
  • Saves SHA1 of the last executed app

Background Activity Monitor/Desktop Activity Moderator BAM/DAM

  • Saves full path of executed apps
  • SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
  • SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

Devices

  • Identification
    • USB -> SYSTEM\CurrentControlSet\Enum\USBTOR, SYSTEM\CurrentControlSet\Enum\USB
  • Device name -> SOFTWARE\Microsoft\Windows Portable Devices\Devices
  • First time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064
  • Last time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066
  • Last removal time -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067

Tools

Get-Command -Module AutoRuns



CommandType     Name                                               Version    Source

-----------     ----                                               -------    ------

Function        Compare-AutoRunsBaseLine                           14.0       Aut...

Function        Get-PSAutorun                                      14.0       Aut...

Function        New-AutoRunsBaseLine                               14.0       Aut...

Clean a Dirty Hive

If a hive is loaded by a tool and the tool complains about a dirty hive, the transaction log of said hive has to be loaded as well. Extract it via FTK or KAPE alongside the hive itself.