What is the Registry
Introduction ACCESSDATA® FORENSICS Registry Artifacts Rob Attoe Forensic Analysis
Incident Response
eDiscovery
Information Assurance
Workshop Objectives • Define the Registry • Identify key artifacts located in the registry • Describe the structure of Registry files
• Identification of deleted Registry data
What is the Registry ? • A central hierarchical database that the operating system uses to configure the system for one or more users, system devices, software applications
Registry History • Windows NTx – System – Security – SAM – Software – BCD – NTUSER.DAT – UsrClasses.dat – Windows 8 – Settings.dat files
• Windows 9x – SYSTEM.DAT – USER.DAT
• Windows for Workgroups – Various .ini files • DOS ?? – Autoexec.bat – Config.sys
Registry files of interest • Registry file name
• Typical data
• SAM
• Users and Groups
• System
• System related data
• Security
• GPOs \ Domain users data
• Software
• Global software settings
• NTUSER.DAT
• User activity and preferences
Windows 7 Registry C:\Boot
HARDWARE built on boot
C:\Windows\System32\config
C:\Users\%%%%\
C:\Users\%%%%\AppData\Local\Microsoft\Windows
Registry Terms Values
Key
Subkey Name
Type
Data
Note: There is NO Date and Time information displayed in Regedit
Registry File Structure • Registry files are a series of blocks – 4096 bytes of data
• First Block – regf – describes the file
Registry file structures • Subsequent blocks contains ‘data’ – 4096 byte segments with a header of “hbin”
– Each block points to itself and size of the block 1st Block
2nd Block 3rd Block
### Block
Only the 1st block contains Date and Time
hbin Data Structures • Data is described by its header i.e. – NK = Key Name – SK = Security Descriptor information – VK = Key Value
NK Structure
Deleted Registry data • Data does not get wiped when deleted – Data remains in the hbin until space is needed again
Key maker only changes from a – Value to a + value
Other Registry data locations • RAM – Only portions of the Registry will be mounted – Recovery of Virtualized Registry data may be possible – Temporary Registry data
Other Registry data locations • Back up version of registry data – Full file copies • Windows ME ~ XP
– Shadow Copies • Vista \ Windows 7 only backs-up the blocks • Understanding the structure may lead to recovery of deleted registry data
Questions ?
Rob Attoe [email protected]
Incident Response
eDiscovery
Information Assurance
Workshop Objectives • Define the Registry • Identify key artifacts located in the registry • Describe the structure of Registry files
• Identification of deleted Registry data
What is the Registry ? • A central hierarchical database that the operating system uses to configure the system for one or more users, system devices, software applications
Registry History • Windows NTx – System – Security – SAM – Software – BCD – NTUSER.DAT – UsrClasses.dat – Windows 8 – Settings.dat files
• Windows 9x – SYSTEM.DAT – USER.DAT
• Windows for Workgroups – Various .ini files • DOS ?? – Autoexec.bat – Config.sys
Registry files of interest • Registry file name
• Typical data
• SAM
• Users and Groups
• System
• System related data
• Security
• GPOs \ Domain users data
• Software
• Global software settings
• NTUSER.DAT
• User activity and preferences
Windows 7 Registry C:\Boot
HARDWARE built on boot
C:\Windows\System32\config
C:\Users\%%%%\
C:\Users\%%%%\AppData\Local\Microsoft\Windows
Registry Terms Values
Key
Subkey Name
Type
Data
Note: There is NO Date and Time information displayed in Regedit
Registry File Structure • Registry files are a series of blocks – 4096 bytes of data
• First Block – regf – describes the file
Registry file structures • Subsequent blocks contains ‘data’ – 4096 byte segments with a header of “hbin”
– Each block points to itself and size of the block 1st Block
2nd Block 3rd Block
### Block
Only the 1st block contains Date and Time
hbin Data Structures • Data is described by its header i.e. – NK = Key Name – SK = Security Descriptor information – VK = Key Value
NK Structure
Deleted Registry data • Data does not get wiped when deleted – Data remains in the hbin until space is needed again
Key maker only changes from a – Value to a + value
Other Registry data locations • RAM – Only portions of the Registry will be mounted – Recovery of Virtualized Registry data may be possible – Temporary Registry data
Other Registry data locations • Back up version of registry data – Full file copies • Windows ME ~ XP
– Shadow Copies • Vista \ Windows 7 only backs-up the blocks • Understanding the structure may lead to recovery of deleted registry data
Questions ?
Rob Attoe [email protected]
