whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Forensics/Windows Registration.md

9.3 KiB
Raw Blame History

Windows Registry

Regedit Keys

  • HKEY_CURRENT_USER (HKCU), inside HKU
  • HKEY_USERS (HKU)
  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
    • HKEY_CURRENT_USER\Software\Classes for settings of interactive user
    • HKEY_LOCAL_MACHINE\Software\Classes to change default settings
  • HKEY_CURRENT_CONFIG

Paths

These parts of the registries are called hives. They can be found under C:\Windows\System32\Config.

  • Default -> HKEY_USERS\DEFAULT

  • SAM contains account names/status/groups, hashed password, login timestamps -> HKEY_LOCAL_MACHINE\SAM

  • SECURITY -> HKEY_LOCAL_MACHINE\Security

  • SOFTWARE -> HKEY_LOCAL_MACHINE\Software

  • SYSTEM -> HKEY_LOCAL_MACHINE\System

  • C:\Users\<username>\

    • NTUSER.DAT -> HKEY_CURRENT_USER, hidden file

  • C:\Users\<username>\AppData\Local\Microsoft\Windows

    • USRCLASS.DAT -> HKEY_CURRENT_USER\Sofware\CLASSES, hidden file

  • C:\Windows\AppCompat\Programs\Amcache.hve

  • C:\Windows\security\database\

    • secedit.sdb, access control configuration

Transaction Logs

  • Transaction <name of registry hive>.LOG of the registry hive

Saved inside the same directory which is C:\Windows\System32\Config, as the hive which was altered.

Backups

  • Saved every ten days
  • Look out for recently deleted or modified keys
  • C:\Windows\System32\Config\RegBack

Data Acquisition

Multiple tools with their own strengths and weaknesses should be chosen to acquire the registry data, no matter if it is a live or a copied acquisition. Commonly used tools are the following ones.

  • Autopsy
  • FTK Imager, does not copy Amcache.hve when Obtain Protected Files has been chosen, copy them manually as an export from the file tree of the chosen image

KAPE, preserves directory tree.

Following parts of EZTools should be taken note of.

  • Registry Viewer
  • Zimmerman's Registry Explorer, uses transaction logs as well
  • AppCompatCache Parser
  • RegRipper, cli and gui

System Information

  • OS Version -> SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • Computer Name -> SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
  • Time Zone SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • Network Interfaces -> SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
  • Past connected networks -> SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged and SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
  • Services -> SYSTEM\CurrentControlSet\Services
    • Service will start at boot with start key value 0x02
  • Users, SAM -> SAM\Domains\Account\Users

Control Sets

  • ControlSet001 -> last boot

  • ControlSet002 -> last known good

  • HKLM\SYSTEM\CurrentControlSet -> live

  • Can be found under:

    • SYSTEM\Select\Current shows the used control set
    • SYSTEM\Select\LastKnownGood

Autostart Programs

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Run program on login for the current user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Run program on login for any user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Run program on login once for the current user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run program for on login once for any user

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Recent Files

Recently accessed documents can be found under the following path, e.g. xml, pdf, jpg.

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

  • Office files -> NTUSER.DAT\Software\Microsoft\Office\VERSION, NTUSER.DAT\Software\Microsoft\Office\15.0\Word

  • Office 365 -> NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU

ShellBags

Use something like shellbag explorer as a tool to display information from shellbags.

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Last Open/Saved/Visited Dialog MRUs

Content of dialog windows is stored in the following folders and last visited/saved paths.

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastSavedPidlMRU

Explorer Address/Search Bars

Registry folder which includes paths typed by the user.

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Registry folder which includes search queries from file explorer.

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

User Assist

GUI applications launched by the user (and the number of usage) listed by GUIDs can be found in the following folder.

  • NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Network

Network configuration can be found in the following path.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetworkList

Domain Account Information

The NT Directory Services NTDS.dit hive is an active directory database which contains information about the domain users.

Information stored about the domain users are for example, their full name, the username the Security identifier (SID),(domain & local) group memberships, hashed passwords for user accounts, login timestamps, last set password, expiration time of the current password, security policies, OUs and connections to other domains.

To get information out of the NTDS.dit hive, it has to be exported along with the SYSTEM hive to get the boot key of the system for decryption.

Use ntdsutil tool to export a snapshot of the information.

C:\Windows\system32\ntdsutil.exe "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit

Export the boot key of the system and use it for decryption.

$BootKey = Get-BootKey -SystemHivePath 'C:\Windows\Temp\NTDS\registry\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\Windows\Temp\NTDS\NTDS.dit' -BootKey $BootKey

Shim Cache

Application Compatibility, AppCompatCache

  • SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
  • Use AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>

AmCache

  • Information about recently run applications on the system
  • C:\Windows\appcompat\Programs\Amcache.hve
  • Last executed app -> Amcache.hve\Root\File\{Volume GUID}\
  • Saves SHA1 of the last executed app

Background Activity Monitor/Desktop Activity Moderator BAM/DAM

  • Saves full path of executed apps
  • SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
  • SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

Devices

  • Identification
    • USB -> SYSTEM\CurrentControlSet\Enum\USBTOR, SYSTEM\CurrentControlSet\Enum\USB
  • Device name -> SOFTWARE\Microsoft\Windows Portable Devices\Devices
  • First time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064
  • Last time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066
  • Last removal time -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067

Tools

Get-Command -Module AutoRuns



CommandType     Name                                               Version    Source

-----------     ----                                               -------    ------

Function        Compare-AutoRunsBaseLine                           14.0       Aut...

Function        Get-PSAutorun                                      14.0       Aut...

Function        New-AutoRunsBaseLine                               14.0       Aut...

Clean a Dirty Hive

A hive which is not closed correctly is called dirty hive. To clean a dirty hive the transaction logfile for the specific hive is needed. The path these logs are stored in is C:\Windows\System32\config, they are named after the hive they contain the logs for. These are not listed in the file explorer, even if you have hidden files visible. List them via dir /a.

If a hive is loaded by a tool and the tool complains about a dirty hive, the transaction log of said hive has to be loaded as well. Extract it via FTK or KAPE alongside the hive itself.