Windows registry in forensic analysis

Windows registry contains information that are helpful during a forensic analysis

Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process.

Let’s analyze the main keys…


Recent opened Programs/Files/URLs

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MRU is the abbreviation for most-recently-used.

This key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes (Open/Save dialog box).
For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser are maintained.

Documents that are opened or saved via Microsoft Office programs are not maintained.

Whenever a new entry is added to OpenSaveMRU key, registry value is created or updated in

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

This key correlates to the previous OpenSaveMRU key to provide extra information: each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.

The list of files recently opened directly from Windows Explorer are stored into

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key corresponds to %USERPROFILE%Recent (My Recent Documents) and contains local or network files that are recently opened and only the filename in binary form is stored.

Start>Run

The list of entries executed using the Start>Run command in mantained in this key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

If a file is executed via Run command, it will leaves traces in the previous two keys OpenSaveMRU and RecentDocs.

Deleting the subkeys in RunMRU does not remove the history list in Run command box immediately.

Content of RunMRU Key

By using Windows “Recent Opened Documents” Clear List feature via Control Panel>Taskbar and Start Menu, an attacker can remove the Run command history list.

In fact, executing the Clear List function will remove the following registry keys and their subkeys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

UserAssist

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

This key contains two GUID subkeys: each subkey maintains a list of system objects such as program, shortcut, and control panel applets that a user has accessed.

Registry values under these subkeys are weakly encrypted using ROT-13 algorithm which basically substitutes a character with another character 13 position away from it in the ASCII table.

Recent URLs

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar: the key will only show links that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs in IE address bar.

Websites that are accessed via IE Favorites are not recorded, and if the user clears the URL history using Clear History via IE Internet Options menu, this key will be completely removed.


Pagefile

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

This key maintains the configuration of Windows virtual memory: the paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.

This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns (by default, windows will not clear the paging file).

During a forensic analysis you should check this value before shutting down a suspect computer!


Windows Search

HKCU\Software\Microsoft\Search Assistant\ACMru

This key contains recent search terms using Windows default search.

There may be up to four subkeys:

  • 5001: Contains list of terms used for the Internet Search Assistant
  • 5603: Contains the list of terms used for the Windows files and folders search
  • 5604: Contains list of terms used in the “word or phrase in a file” search
  • 5647: Contains list of terms used in the “for computers or people” search

Installed programs

All programs listed in Control Panel>Add/Remove Programs correspond to one subkey into this key:

HKLM\SOFTWARE\Microsoft\Windows\Current\Version\Uninstall

Subkeys usually contains these two common registry values:

  • DisplayName — program name
  • UninstallString — application Uninstall component’s file path, which indirectly refers to application installation path

Other possible useful registry values may exist, which include information on install date, install source and application version.


Mounted drives

The list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices is contained into

HKLM\SYSTEM\MountedDevices

This key lists any volume that is mounted and assigned a drive letter, including USB storage devices and external DVD/CDROM drives.

From the listed registry values, value’s name that starts with “DosDevices” and ends with the associated drive letter, contains information regarding that particular mounted device.

Similar informations are contained also in

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPCVolume

which is located under the respective device GUID subkey and in the binary registry value named Data.

This key is a point of interest during a forensic analysis: the key records shares on remote systems such C$, Temp$, etc.

The existence of ProcDump indicates the dumping of credentials within lsass.exe address space. Sc.exe indicates the adding of persistence such as Run keys or services. The presence of .rar files may indicate data exfiltration.

The history of recent mapped network drives is store into

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

In addition, permanent subkey (unless manually removed from registry) regarding mapped network drive is also created in

HKCU\Software\Microsoft\Windows\Current\VersionExplorer\MountPoints2

and the subkey is named in the form of ##servername#sharedfolder.


USB Storage

The key:

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

contains addition information about list of mounted USB storage devices, including external memory cards.

When used in conjunction with two previous keys will provide evidential information.


Autorun

There are different keys related to automatic run of programs.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This first key usually contains programs or components paths that are automatically run during system startup without requiring user interaction: malware usually leaves trace in this key to be persistent whenever system reboots.

RunOnce and RunOnceEx (only Win98/Me)

These keys identifies programs that run only once, at startup and can be assigned to a specific user account or to the machine:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

RunServices and RunServicesOnce

Can control automatic startup of services.
They can be assigned to a specific user account or to a computer:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce

Command Processor Autorun

This key contains command that is automatically executed each time cmd.exe is run:

HKLM\SOFTWARE\Microsoft\Command Processor
HKCU\Software\Microsoft\Command Processor

Modification to this key requires administrative privilege.

Usually malware exploits this feature to load itself without user’s knowledge.

Winlogon

This key has a registry value named Shell with default data Explorer.exe.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Malware appends the malware executable file to the default value’s data to stay persistence across system reboots and logins (modification to this key requires administrative privilege).

Services

This key contains list of Windows services:

HKLM\SYSTEM\CurrentControlSet\Services

Each subkey represents a service and contains service’s information such as startup configuration and executable image path.

For more information about malware persistence techniques, please refer to my previous article:

https://www.andreafortuna.org/cybersecurity/malware-persistence-techniques/


Debugging

This key allows administrator to map an executable filename to a different debugger source, allowing user to debug a program using a different program:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Modification to this key requires administrative privilege.

This feature could be exploited to launch a completely different program under the cover of the initial program.


File extensions

This key contains instruction to execute any .exe extension file:

HKCR\exe\fileshell\opencommand

Normally, this key contains one default value with data “%1” %*, but if the value’s data is changed to something similar to somefilename.exe “%1” %* , investigator should suspect some other hidden program is invoked automatically when the actual .exe file is executed.

Malware normally modify this value to load itself covertly

This technique apply to other similar keys, including:

HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command

Windows Protect Storage

Protected Storage is a service used by Microsoft products to provide a secure area to store private information.

Information that could be stored in Protected Storage includes for example Internet Explorer AutoComplete strings and passwords, Microsoft Outlook and Outlook Express accounts’ passwords.

Windows Protected Storage is maintained under this key:

HKCU\Software\Microsoft\Protected Storage System Provider

Registry Editor hides these registry keys from users viewing, including administrator.

There are tools that allow examiner to view the decrypted Protected Storage on a live system, such as Protected Storage PassView and PStoreView.


References

Understanding Process Hollowing

A technique used by malware author to evade defenses and detection analysis of malicious processes execution

Process hollowing is a technique used by malware in which a legitimate process is loaded on the system solely to act as a container for hostile code.

How it works?

At launch, the legitimate process is created in a suspended state and the process’s memory is replaced with the code of a second program so that the second program runs instead of the original program.

https://www.slideshare.net/CysinfoCommunity/hollow-process-injection?ref=https://cysinfo.com/7th-meetup-reversing-and-investigating-malware-evasive-tactics-hollow-process-injection/

The advantage is that this helps the process hide amongst normal processes better: Windows and process monitoring tools believe the original process is running, whereas the actual program running is different.


Detecting hollowed processes with Volatility

One common technique for detecting hollowed processes is by scanning allocated memory for segments that have the RWX protection setting.
If the attacker forgot to fix memory protection flags with VirtualProtectEx, we can find it easily.

A Volatility plugin called ‘malfind.py’ does this as part of its scanning: however, careful malware authors can easily avoid this by correcting protection settings after they are done writing to memory.

But, using volatility without any plugins we can dump processes to files and compare them with eachother or with their original file on the filesystem.

In the following video, part of the presentation “Reversing and Investigating Malware Evasive Tactics — Hollow Process Injection” presented at the Cysinfo cyber security meet in Bangalore on May 28th 2016, Monnappa K A detect a svchost.exe used as a host process for process hollowing:


Mitigation

Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly.
So efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.


References

MAC(b) times in Windows forensic analysis

Essential information during timeline analysis

 

During a forensic analysis, especially during timeline analysis, you deal with MAC timestamps, so it’s important to know and understand the concept of time resolution.

The MAC(b) times are derived from file system metadata and they stand for:

  • Modified
  • Accessed
  • Changed ($MFT Modified)
  • Birth (file creation time)

The (b) is in parentheses because not all file systems record a birth time.


Where are they stored?

Into two attributes, $STANDARD_INFO and $FILE_NAME:

$STANDARD_INFO

$STANDARD_INFO ($SI) stores file metadata such as flags, the file SID, the file owner and a set of MAC(b) timestamps.

$STANDARD_INFO is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps.

$FILE_NAME

The $File_Name attribute contains forensically interesting bits, such as MACB times, file name, file length and more.

Timestamps are only updated with the attribute is changed.

Files can have either one or two $File_Name attributes depending on how long the file name is:

  • Short file names (“file.txt”) has only one $File_Name attribute.
  • Long file names (“extremelylongfilename.txt”) will have two $File_Name attributes.
  • One for the long file name, and one for the DOS-compatible short name (EXTRE~1.TXT).

What are the differences?

  • $STANDARD_INFO can be modified by user level processes like timestomp.
  • $FILE_NAME can only be modified by the system kernel. (There are no known anti-forensics utilities that can accomplish this.)

Time Rules

There are general rules when it comes to files being moved, copied, accessed or created.
Each operation alters different metadata, here a table of time rules related to $STANDARD_INFORMATION:

https://digital-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties

While examining the $FILE_NAME timestamps the rules are pretty different:

https://digital-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties

How to detect Anti-Forensics Timestamp Anomalies?

Tool such as timestomp allow attackers to backdate a file to an arbitrary time in order to trying to hide it in system32 or other similar directories.

So, during analysis you can use analyzeMFT.py in order to check if the $FILE_NAME time occurs after the $STANDARD_INFORMATION Creation Time.

If this anomaly occurs, it is likely that an attacker has been alterated timestamps in $STANDARD_INFO using timestomp.


References

PowerForensics: a PowerShell framework for hard drive forensic analysis

Simple to install and with a lot of features

The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis.

PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.

PowerForensics is built on a C# Class Library (Assembly) that provides an public forensic API.

All of this module’s cmdlets are built on this public API and tasks can easily be expanded upon to create new cmdlets.


Features and CmdLets

Boot Sector

  • Get-ForensicMasterBootRecord — gets the MasterBootRecord from the first sector of the hard drive
  • Get-ForensicGuidPartitionTable — gets the GuidPartitionTable from the first sector of the hard drive
  • Get-ForensicBootSector — gets the appropriate boot sector (MBR or GPT) from the specified drive
  • Get-ForensicPartitionTable — gets the partition table for the specified drive

Extended File System 4 (ext4)

  • Get-ForensicSuperblock — returns the ext4 SuperBlock object
  • Get-ForensicBlockGroupDescriptor — returns the Block Group Descriptor Table entries
  • Get-ForensicInode — returns the Inode Table entries

New Technology File System (NTFS)

  • Get-ForensicAttrDef — gets definitions of MFT Attributes (parses $AttrDef)
  • Get-ForensicBitmap — determines if a cluster is marked as in use (parses $Bitmap)
  • Get-ForensicFileRecord — gets Master File Table entries (parses $MFT)
  • Get-ForensicFileRecordIndex — gets a file’s MFT record index number
  • Get-ForensicUsnJrnl — getss Usn Journal Entries (parses $UsnJrnl:$J)
  • Get-ForensicUsnJrnlInformation — getss UsnJrnl Metadata (parses $UsnJrnl:$Max)
  • Get-ForensicVolumeBootRecord — gets the VolumeBootRecord from the first sector of the volume (parses $Boot)
  • Get-ForensicVolumeInformation — gets the $Volume file’s $VOLUME_INFORMATION attribute
  • Get-ForensicVolumeName — gets the $Volume file’s $VOLUME_NAME attribute
  • Get-ForensicFileSlack — gets the specified volume’s slack space
  • Get-ForensicMftSlack — gets the Master File Table (MFT) slack space for the specified volume
  • Get-ForensicUnallocatedSpace — gets the unallocated space on the specified partition/volume (parses $Bitmap)

Windows Artifacts

  • Get-AlternateDataStream — gets the NTFS Alternate Data Streams on the specified volume
  • Get-ForensicEventLog — gets the events in an event log or in all event logs
  • Get-ForensicExplorerTypedPath — gets the file paths that have been typed into the Windows Explorer application
  • Get-ForensicNetworkList — gets a list of networks that the system has previously been connected to
  • Get-ForensicOfficeFileMru — gets a files that have been recently opened in Microsoft Office
  • Get-ForensicOfficeOutlookCatalog — gets a Outlook pst file paths
  • Get-ForensicOfficePlaceMru — gets a directories that have recently been opened in Microsoft Office
  • Get-ForensicOfficeTrustRecord — gets files that have been explicitly trusted within MicrosoftOffice
  • Get-ForensicPrefetch — gets Windows Prefetch artifacts by parsing the file’s binary structure
  • Get-ForensicRunKey — gets the persistence mechanism stored in registry run keys
  • Get-ForensicRunMostRecentlyUsed — gets the commands that were issued by the user to the run dialog
  • Get-ForensicScheduledJob — gets Scheduled Jobs (at jobs) by parsing the file’s binary structures
  • Get-ForensicShellLink — gets ShellLink (.lnk) artifacts by parsing the file’s binary structure
  • Get-ForensicSid — gets the machine Security Identifier from the SAM hive
  • Get-ForensicTimezone — gets the system’s timezone based on the registry setting
  • Get-ForensicTypedUrl — gets the Universal Resource Locators (URL) that have been typed into Internet Explorer
  • Get-ForensicUserAssist — gets the UserAssist entries from the specified volume
  • Get-ForensicWindowsSearchHistory — gets the terms that have been searched for using the Windows Search feature

Application Compatibility Cache

  • Get-ForensicAmcache — gets previously run commands from the Amcache.hve registry hive
  • Get-ForensicRecentFileCache — gets previously run commands from the RecentFileCache.bcf file
  • Get-ForensicShimcache — gets previously run commands from the AppCompatCache (AppCompatibility on XP) registry key

Windows Registry

  • Get-ForensicRegistryKey — gets the keys of the specified registry hive
  • Get-ForensicRegistryValue — gets the values of the specified registry key

Forensic Timeline

  • ConvertTo-ForensicTimeline — converts an object to a ForensicTimeline object
  • Get-ForensicTimeline — creates a forensic timeline

Utilities

  • Copy-ForensicFile — creates a copy of a file from its raw bytes on disk
  • Get-ForensicChildItem — returns a directory’s contents by parsing the MFT structures
  • Get-ForensicContent — gets the content of a file from its raw bytes on disk
  • Invoke-ForensicDD — provides a bit for bit copy of a specified device

Installation

  1. Download correct release from Github ( PowerForensicsv2 is the PowerShell v2 compliant version of PowerForensics).
  2. Unzip the module into a directory in the PSModulePath (like C:Program FilesWindowsPowerShellModules) and import with Import-Module Powerforensics
    For more information about PSModulePath check out this article.