Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable...
-
date post
19-Dec-2015 -
Category
Documents
-
view
229 -
download
1
Transcript of Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable...
![Page 1: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/1.jpg)
Registry Analysis
• Using regedit.exe– System Information– Autostart locations– USB Removable Storage Devices– Mounted Devices– Finding Users– User Activity– Restore Points
![Page 2: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/2.jpg)
System Information
• Located in the Current Control Set
• If the systemm is not active must find the Control Set that was current
• Time zone
• Shares
• Audit policy
• Wireless SSIDs
![Page 3: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/3.jpg)
Current Control Set• CurrentControlSet is a volatile portion of the Registry
• Which of the 2 or more Control Sets are Current
• The following indicate that #1 is current
![Page 4: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/4.jpg)
Time Zone Information
• SYSTEM\ControlSet001\Control\TimeZoneInformation
![Page 5: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/5.jpg)
Computer Name
HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName
![Page 6: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/6.jpg)
Shutdown TimeHKLM\SYSTEM\CurrentControlSet\Control\WindowsHKLM\SYSTEM\ControlSet001\Control\Windows
Time is measured in the number of 100-nanosecond intervals since 1 January 1601.
![Page 7: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/7.jpg)
Shares
• Windows 2K, XP, 2003, and Vista create a number of administrative shares– IPC$ - IPC share– ADMIN$ - shares that refer to the root of dirves
C$, D$, etc.
• User enabled shares show up in
HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares
![Page 8: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/8.jpg)
Wireless SSIDs
• XP Laptops maintain a list of service set IDs
• The GUID is associated with the wireless interface
• Under the Static#000x lists all of the SSIDs connected
![Page 9: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/9.jpg)
SSIDsA different Static#000x for each SSID ever connected to.
![Page 10: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/10.jpg)
SSID Registry Entry
At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian.“0b 00 00 00” = 0x 00 00 00 0b = 1110
SSID Length SSID
![Page 11: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/11.jpg)
Autostarts
• Applications that are launched without any interaction from the user
• Often at boot time
• Occasionally upon launch of a app.
![Page 12: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/12.jpg)
Autostart Locations
• Auto-start extensibility points (ASEPs)
• Registry locations• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• And elsewhere
• All over the place
![Page 13: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/13.jpg)
Autostart Locations• Start -> run -> msconfig
• Lists some of the acknowledge startups
![Page 14: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/14.jpg)
Startup Locations
![Page 15: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/15.jpg)
Other Startup Locations
• System boot
• User Login
• User Activity
• See Carvey’s Ch4 spreadsheet for more locations
![Page 16: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/16.jpg)
System boot
• Startup services at boot time are contained in
• HKLM\SYSTEM\CurrentControlSet\Services
• The services are enumerated with parameters
• Should be sorted by LastWriteTime
• Only possible in FTK or ProDiscover
![Page 17: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/17.jpg)
ControlSet\Services
![Page 18: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/18.jpg)
Boot Time AppsStart value = 2, the app starts on boot time. Star value != 2 starts on user logon
![Page 19: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/19.jpg)
Evil Start Time Services
• Generally LastWrite times should be about the same time the system was built.
• Later dates would suggest that an intruder of sysadmin was altering the boot time sequence
![Page 20: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/20.jpg)
User Login
• Startup Keys are parsed in order when a user logs in:1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run
4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run
5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run
6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce
• The run keys are ignored if started in Safe Mode
![Page 21: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/21.jpg)
#3 On the Startup List
![Page 22: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/22.jpg)
User Activity
• On user action certain registry keys are accessed
• Keys for other Classes of files control what happens when that file is opened
• Or when the file is double-clicked
![Page 23: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/23.jpg)
Example
• Go to:HKLM\Software\Microsoft\CommandProcessor\AutoRun
Right click on AutoRun
Select Modify
Enter sol.exe in the Value data: field.
Start -> run -> cmd.exe
• This is the how one can modify application behavior
• Used by much malware to launch backdoors or an IRCbot
![Page 24: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/24.jpg)
AutoRuns from Sysinternals
![Page 25: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/25.jpg)
Hijacked App
![Page 26: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/26.jpg)
USB Devices
• Tracking USB devices• When mounted on Windows they leave
• Footprints in the Registry
• Artifacts in the setupapi.log file
• The PnP Manager queries the device descriptor• Located in the thumb drive’s firmware
• Log updated
• Creates a Registry Key inHKLM\System\CurrentControlSet\Enum\USBSTOR
![Page 27: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/27.jpg)
USBSTOR Key
![Page 28: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/28.jpg)
Device Held IDCdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61
Manufacturer Model Version
Device class IDUnique Instance IDSerial Number
![Page 29: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/29.jpg)
System Created KeyDisk&Ven_JMTek&Prod_USBDrive&Rev_7.77
Manufacturer Model Version
Device class ID
Unique Instance IDNo Serial NumberMade up by system
![Page 30: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/30.jpg)
Device Information
• HKLM\SYSTEM\MountedDevices
• List of recently Mounted Devices• Look down the list for \DosDevices\
• The REG_BINARY data field should start with5C 00 3F00 3F 00
• To find which device this is right click on the device
• Select Modify
![Page 31: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/31.jpg)
USBSTOREParentIdPrefixUnique Instance ID
Serial Number
![Page 32: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/32.jpg)
USB Devices Tracking
• By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline
• CurrentUser\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
• May give more information
![Page 33: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/33.jpg)
Mounted Devices
![Page 34: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/34.jpg)
Binary Data in \DosDevices\G:
ParentIdPrefix matches the Kingston Traveler in the USBSTORE key
![Page 35: Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d3f5503460f94a18659/html5/thumbnails/35.jpg)
Research Topic
• USB devices• Some USB Devices have a Device ID, others do not
• Some generate a ParentIdPrefix others do not
• Some Correlate to the MountedDevices ID others do not
• Sort it out
• Use references to the the Microsoft Knowledge Base