SlideShare une entreprise Scribd logo

In-depth forensic analysis of Windows registry files

M
Maxim Suhanov

Uncovering the details of how a registry file is organized, how to locate & recover deleted data, and why third-party offline registry editors & viewers are failing to do their job well. Errata. - Page 8: "Zero-based", should be: "Zero-based, unset bits not counted". - Page 12: "multiple delete records (entities)", should be: "multiple deleted records (entities)".

Technologie
1  sur  20
Télécharger pour lire hors ligne
In-depth forensic analysis of Windows registry files Maxim Suhanov
Registry basics A typical registry path: HKEY_LOCAL_MACHINESoftwareMicrosoft This path is different in a kernel: • RegistryMachineSoftwareMicrosoft This hive is non-volatile (stored on a disk), backing files: • C:WindowsSystem32configSOFTWARE • C:WindowsSystem32configSOFTWARE.LOG (+ .LOG1/.LOG2) Predefined key Mount point of a hive Key Some hives do not have a visible mount point!
Hive format (NT family) Seven versions of the format: from 1.0 (pre-release versions ofWindows NT 3.1) to 1.6 (introduced inWindows 10 “Redstone 1”, not used yet) The structure of a hive file: Base block (file header) Hive bin Hive bin More hive bins Remnant data The base block contains the size of all [allocated] hive bins.
Hive format (NT family) A hive bin contains a header and cells. Hive bin Header Cell Cell More cells A cell may contain: • Key node (nk) • Key value (vk) • Key security (sk) • List of subkeys (li, lf, lh) • List of subkeys lists (ri) • List of values • Value data • Big data records (db) • List of segments • Value data segments The first 4 bytes of a cell are used to record the size of this cell (positive value: unallocated cell, negative value: allocated cell) The header contains the size of this hive bin.
Hive format (NT family) Records (entities) point to other records (entities) using a relative offset of a cell.A base block points to a root key node. File offset of a cell = Length of a base block + Relative offset of a cell File offset of a cell = 4096 + Relative offset of a cell Key node Key security List of subkeys List of values Key node Key node Key value Value data
Hive format (NT family) All registry structures are documented here: https://github.com/msuhanov/regf/
Transaction log files (NT family) • Before writing dirty data to a primary file, this data is stored in a transaction log file. • If a system crash occurs when writing to a transaction log file, a primary file will be intact. • If a system crash occurs when writing to a primary file, a transaction log file will be used to repeat the write operation. The old format (before Windows 8.1): Base block (backup copy) Dirty vector (bitmap) Dirty sectors (pages) Remnant data G a p
Transaction log files (NT family) • Every bit of the bitmap corresponds to a single 512-byte sector of the hive bins data in a primary file. • If set, a sector is dirty (and modified contents are in the transaction log file). Relative offset of a dirty sector in a transaction log file = Index of a bit in the bitmap * 512 Relative from the start of dirty sectors (pages). Zero-based. As of Windows XP, a single run of dirty data is not smaller than a page (4096 bytes).
Transaction log files (NT family) • A bad sector in a primary file results in the following:  Dirty data cannot be written to a primary file (to the location with a bad sector).  We cannot overwrite dirty data in an existing transaction log file (otherwise a system crash may leave us without a good copy of dirty data).  We cannot mark mounted hives as read-only.  No further writes (after a failed one) to a primary file will be allowed (new dirty data will be discarded).
Transaction log files (NT family) • Solution: the dual-logging scheme (starting from Windows Vista).  After a failed write to a primary file, switch the log file being used (.LOG1 -> .LOG2, .LOG2 -> .LOG1), and try the write operation again.  Repeat this until a bad sector is gone. Microsoft left the CmpFailPrimarySave kernel variable used to simulate failed writes!
Transaction log files (NT family) • The old format requires dirty data to be written to a disk twice. • The new format is used to stash dirty pages in a transaction log file without writing them to a primary file.These pages will be written to a primary file later. The new format (as ofWindows 8.1): Base block (backup copy) Log entries Remnant data Also, each log entry has a checksum for dirty data (Marvin32). • When all users are inactive. • During the full shutdown. • After 3600 seconds since the latest write.
Deleted data (NT family) • When a key or a value is deleted, all corresponding cells are marked as unallocated. • A cell will be coalesced with an adjacent unallocated cell. • A single unallocated cell may contain multiple delete records (entities).
Deleted data (NT family) Well, not all cells are marked as unallocated when a corresponding record (entity) is deleted… • In recent releases of Windows 10, renaming a key will leave an old key node in an allocated cell. • This key node will be present until the hive is defragmented. Thus, Cells with deleted data = All cells – Referenced cells
Deleted data (NT family) Also, deleted records (entities) can be found in: • Remnant data at the end of a primary file. • Slack space of allocated and referenced records (especially, in cells with subkeys/values lists). • Transaction log files (old log entries, remnant data, gaps). Distribution of recoverable deleted keys and values in primary files: • Unallocated cells: 97.9% • Remnant data at the end of a file: 0.6% • Slack space in allocated and referenced cells: 1.5% • Allocated but unreferenced cells: 0% (only 1 key was found) Preallocated space.
Caveats • Most registry viewers ignore data in transaction log files.  Registry Explorer, Windows Registry Recovery, Registry Recon, libregf, reglookup.  Latest changes to registry keys and values (made in Windows 8.1 and later versions of Windows) may be invisible to such tools.  Malicious programs can hide data from offline registry viewers by manipulating the CmpFailPrimarySave kernel variable (modified keys and values will be stored outside of a primary file). Example: A laptop with a USB cellular modem, building the timeline for the Software hive, looking for timestamps related to the activity of the modem. With transaction log files: 13 different key modification timestamps were found for a single registry key. Without transaction log files: 1 timestamp for that key.
Caveats • Offline registry libraries in antivirus software ignore transaction log files too.  Kaspersky Rescue Disk 10 (based on Linux) will delete malicious keys/values from a primary file only, without applying dirty data from a transaction log file.  When running Windows 8.1 and later versions of Windows, it is possible to create a malicious autorun entry that will not be deleted when performing an antivirus scan from Kaspersky Rescue Disk 10.  The same is also possible with older versions of Windows by exploiting the CmpFailPrimarySave kernel variable.
Caveats • When recovering deleted data from primary files, many tools skip the slack space of allocated records (entities). • 1.5% of recoverable keys and values are not recovered! Slack space A cell with a subkeys list Signature Number of elements Offset Offset Offset Offset Offset Cell size
Caveats • Treating the registry as a typical file system is dangerous too!  A subkey and a value of a single key can share the same name.  A name of a key or a value could be “.” or “..”.  Also: null byte, “/”, and “”. GRR: a value shadows a key with the same name
Yet another registry parser (yarp) https://github.com/msuhanov/yarp/ (library & tools, Python 3) - Parse Windows registry files in a proper way (with forensics in mind). - Expose values of all fields of underlying registry structures. - Support for truncated registry files and registry fragments. - Support for recovering deleted keys and values. - Support for carving of registry hives. - Support for transaction log files.
?

Recommandé

Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 

Recommandé

Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic ImagesCTIN
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }AkshayJha40
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imagingDetectalix
 
Forensic science intro
Forensic science introForensic science intro
Forensic science introMaria Donohue
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017Carol Smith
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersDenis Magda
 

Contenu connexe

Tendances

Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic ImagesCTIN
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }AkshayJha40
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imagingDetectalix
 
Forensic science intro
Forensic science introForensic science intro
Forensic science introMaria Donohue
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 

Tendances (20)

Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imaging
 
Forensic science intro
Forensic science introForensic science intro
Forensic science intro
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Network forensic
Network forensicNetwork forensic
Network forensic
 

En vedette

AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017Carol Smith
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersDenis Magda
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migrationRogue Wave Software
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Scale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneRoman Elizarov
 
Graduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageKaylyn Gibilterra
 
Communication hardware
Communication hardwareCommunication hardware
Communication hardwareHans Mallen
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Patricia Aas
 
What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?Black Duck by Synopsys
 
DevRomagna / Golang Intro
DevRomagna / Golang IntroDevRomagna / Golang Intro
DevRomagna / Golang IntroSimone Gentili
 
Advanced memory allocation
Advanced memory allocationAdvanced memory allocation
Advanced memory allocationJoris Bonnefoy
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & EcosystemKingston Smiler
 

En vedette (20)

AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and Engineers
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Scale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOne
 
Graduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming Language
 
Communication hardware
Communication hardwareCommunication hardware
Communication hardware
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
 
What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?
 
numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017
 
DevRomagna / Golang Intro
DevRomagna / Golang IntroDevRomagna / Golang Intro
DevRomagna / Golang Intro
 
Advanced memory allocation
Advanced memory allocationAdvanced memory allocation
Advanced memory allocation
 
Go Execution Tracer
Go Execution TracerGo Execution Tracer
Go Execution Tracer
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
 
OpenFlow
OpenFlowOpenFlow
OpenFlow
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
 

Similaire à In-depth forensic analysis of Windows registry files

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Root file system
Root file systemRoot file system
Root file systemBindu U
 
File Handling In C++(OOPs))
File Handling In C++(OOPs))File Handling In C++(OOPs))
File Handling In C++(OOPs))Papu Kumar
 
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)Ahmed El-Arabawy
 
Linux Basics
Linux BasicsLinux Basics
Linux BasicsLokesh C
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsShu-Yu Fu
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
File system is full - what do i do
File system is full - what do i doFile system is full - what do i do
File system is full - what do i doNizar Fanany
 
Windows
WindowsWindows
WindowsEzzah
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
There are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docxThere are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docxsusannr
 
There are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docxThere are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docxsusannr
 
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849marangburu42
 
Operating Systems - Implementing File Systems
Operating Systems - Implementing File SystemsOperating Systems - Implementing File Systems
Operating Systems - Implementing File SystemsMukesh Chinta
 

Similaire à In-depth forensic analysis of Windows registry files (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Windows xp
Windows xpWindows xp
Windows xp
 
Root file system
Root file systemRoot file system
Root file system
 
File system
File systemFile system
File system
 
File system
File systemFile system
File system
 
File Handling In C++(OOPs))
File Handling In C++(OOPs))File Handling In C++(OOPs))
File Handling In C++(OOPs))
 
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
 
Linux Basics
Linux BasicsLinux Basics
Linux Basics
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
File system is full - what do i do
File system is full - what do i doFile system is full - what do i do
File system is full - what do i do
 
Windows
WindowsWindows
Windows
 
File system
File systemFile system
File system
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
DBMS
DBMSDBMS
DBMS
 
There are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docxThere are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docx
 
There are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docxThere are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docx
 
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849
 
Operating Systems - Implementing File Systems
Operating Systems - Implementing File SystemsOperating Systems - Implementing File Systems
Operating Systems - Implementing File Systems
 
Ch2
Ch2Ch2
Ch2
 

Dernier

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central BankingThe Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central BankingSelcen Ozturkcan
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central BankingThe Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central Banking
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

In-depth forensic analysis of Windows registry files

  • 1. In-depth forensic analysis of Windows registry files Maxim Suhanov
  • 2. Registry basics A typical registry path: HKEY_LOCAL_MACHINESoftwareMicrosoft This path is different in a kernel: • RegistryMachineSoftwareMicrosoft This hive is non-volatile (stored on a disk), backing files: • C:WindowsSystem32configSOFTWARE • C:WindowsSystem32configSOFTWARE.LOG (+ .LOG1/.LOG2) Predefined key Mount point of a hive Key Some hives do not have a visible mount point!
  • 3. Hive format (NT family) Seven versions of the format: from 1.0 (pre-release versions ofWindows NT 3.1) to 1.6 (introduced inWindows 10 “Redstone 1”, not used yet) The structure of a hive file: Base block (file header) Hive bin Hive bin More hive bins Remnant data The base block contains the size of all [allocated] hive bins.
  • 4. Hive format (NT family) A hive bin contains a header and cells. Hive bin Header Cell Cell More cells A cell may contain: • Key node (nk) • Key value (vk) • Key security (sk) • List of subkeys (li, lf, lh) • List of subkeys lists (ri) • List of values • Value data • Big data records (db) • List of segments • Value data segments The first 4 bytes of a cell are used to record the size of this cell (positive value: unallocated cell, negative value: allocated cell) The header contains the size of this hive bin.
  • 5. Hive format (NT family) Records (entities) point to other records (entities) using a relative offset of a cell.A base block points to a root key node. File offset of a cell = Length of a base block + Relative offset of a cell File offset of a cell = 4096 + Relative offset of a cell Key node Key security List of subkeys List of values Key node Key node Key value Value data
  • 6. Hive format (NT family) All registry structures are documented here: https://github.com/msuhanov/regf/
  • 7. Transaction log files (NT family) • Before writing dirty data to a primary file, this data is stored in a transaction log file. • If a system crash occurs when writing to a transaction log file, a primary file will be intact. • If a system crash occurs when writing to a primary file, a transaction log file will be used to repeat the write operation. The old format (before Windows 8.1): Base block (backup copy) Dirty vector (bitmap) Dirty sectors (pages) Remnant data G a p
  • 8. Transaction log files (NT family) • Every bit of the bitmap corresponds to a single 512-byte sector of the hive bins data in a primary file. • If set, a sector is dirty (and modified contents are in the transaction log file). Relative offset of a dirty sector in a transaction log file = Index of a bit in the bitmap * 512 Relative from the start of dirty sectors (pages). Zero-based. As of Windows XP, a single run of dirty data is not smaller than a page (4096 bytes).
  • 9. Transaction log files (NT family) • A bad sector in a primary file results in the following:  Dirty data cannot be written to a primary file (to the location with a bad sector).  We cannot overwrite dirty data in an existing transaction log file (otherwise a system crash may leave us without a good copy of dirty data).  We cannot mark mounted hives as read-only.  No further writes (after a failed one) to a primary file will be allowed (new dirty data will be discarded).
  • 10. Transaction log files (NT family) • Solution: the dual-logging scheme (starting from Windows Vista).  After a failed write to a primary file, switch the log file being used (.LOG1 -> .LOG2, .LOG2 -> .LOG1), and try the write operation again.  Repeat this until a bad sector is gone. Microsoft left the CmpFailPrimarySave kernel variable used to simulate failed writes!
  • 11. Transaction log files (NT family) • The old format requires dirty data to be written to a disk twice. • The new format is used to stash dirty pages in a transaction log file without writing them to a primary file.These pages will be written to a primary file later. The new format (as ofWindows 8.1): Base block (backup copy) Log entries Remnant data Also, each log entry has a checksum for dirty data (Marvin32). • When all users are inactive. • During the full shutdown. • After 3600 seconds since the latest write.
  • 12. Deleted data (NT family) • When a key or a value is deleted, all corresponding cells are marked as unallocated. • A cell will be coalesced with an adjacent unallocated cell. • A single unallocated cell may contain multiple delete records (entities).
  • 13. Deleted data (NT family) Well, not all cells are marked as unallocated when a corresponding record (entity) is deleted… • In recent releases of Windows 10, renaming a key will leave an old key node in an allocated cell. • This key node will be present until the hive is defragmented. Thus, Cells with deleted data = All cells – Referenced cells
  • 14. Deleted data (NT family) Also, deleted records (entities) can be found in: • Remnant data at the end of a primary file. • Slack space of allocated and referenced records (especially, in cells with subkeys/values lists). • Transaction log files (old log entries, remnant data, gaps). Distribution of recoverable deleted keys and values in primary files: • Unallocated cells: 97.9% • Remnant data at the end of a file: 0.6% • Slack space in allocated and referenced cells: 1.5% • Allocated but unreferenced cells: 0% (only 1 key was found) Preallocated space.
  • 15. Caveats • Most registry viewers ignore data in transaction log files.  Registry Explorer, Windows Registry Recovery, Registry Recon, libregf, reglookup.  Latest changes to registry keys and values (made in Windows 8.1 and later versions of Windows) may be invisible to such tools.  Malicious programs can hide data from offline registry viewers by manipulating the CmpFailPrimarySave kernel variable (modified keys and values will be stored outside of a primary file). Example: A laptop with a USB cellular modem, building the timeline for the Software hive, looking for timestamps related to the activity of the modem. With transaction log files: 13 different key modification timestamps were found for a single registry key. Without transaction log files: 1 timestamp for that key.
  • 16. Caveats • Offline registry libraries in antivirus software ignore transaction log files too.  Kaspersky Rescue Disk 10 (based on Linux) will delete malicious keys/values from a primary file only, without applying dirty data from a transaction log file.  When running Windows 8.1 and later versions of Windows, it is possible to create a malicious autorun entry that will not be deleted when performing an antivirus scan from Kaspersky Rescue Disk 10.  The same is also possible with older versions of Windows by exploiting the CmpFailPrimarySave kernel variable.
  • 17. Caveats • When recovering deleted data from primary files, many tools skip the slack space of allocated records (entities). • 1.5% of recoverable keys and values are not recovered! Slack space A cell with a subkeys list Signature Number of elements Offset Offset Offset Offset Offset Cell size
  • 18. Caveats • Treating the registry as a typical file system is dangerous too!  A subkey and a value of a single key can share the same name.  A name of a key or a value could be “.” or “..”.  Also: null byte, “/”, and “”. GRR: a value shadows a key with the same name
  • 19. Yet another registry parser (yarp) https://github.com/msuhanov/yarp/ (library & tools, Python 3) - Parse Windows registry files in a proper way (with forensics in mind). - Expose values of all fields of underlying registry structures. - Support for truncated registry files and registry fragments. - Support for recovering deleted keys and values. - Support for carving of registry hives. - Support for transaction log files.
  • 20. ?