Table Of ContentWindows Registry Forensics
Advanced Digital
Forensic Analysis of the
Windows Registry
This page intentionally left blank
Windows Registry Forensics
Advanced Digital
Forensic Analysis of the
Windows Registry
Harlan Carvey
Dave Hull, Technical Editor
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO • SAN FRANCISCO
SINGAPORE • SYDNEY • TOKYO
Syngress is an imprint of Elsevier
Acquiring Editor: Angelina Ward
Development Editor: Heather Scherer
Project Manager: Danielle S. Miller
Designer: Kristen Davis
Syngress is an imprint of Elsevier
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
© 2011 Elsevier, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording, or any information storage and retrieval system, without permission in writing
from the publisher. Details on how to seek permission, further information about the Publisher’s permissions p olicies
and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing
Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the
Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our
understanding, changes in research methods or professional practices, may become necessary. Practitioners and
researchers must always rely on their own experience and knowledge in evaluating and using any information or
methods described herein. In using such information or methods they should be mindful of their own safety and
the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for
any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from
any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Carvey, Harlan A.
Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry / Harlan Carvey.
p. cm.
Includes bibliographical references.
ISBN 978-1-59749-580-6 (pbk.)
1. Microsoft Windows (Computer file) 2. Operating systems (Computers) 3. Computer crimes—Investigation—
Methodology. 4. Computer networks—Security measures. 5. Computer security. 6. Component software. I. Title.
HV8079.C65C373 2011
363.25’62—dc22
2010043198
British Library Cataloguing-in-Publicatio n Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-580-6
Printed in the United States of America
10 11 12 13 14 10 9 8 7 6 5 4 3 2 1
Typeset by: diacriTech, Chennai, India
For information on all Syngress publications visit our website at www.syngress.com
Dedication
To Terri and Kylie; you are my light and my foundation.
This page intentionally left blank
Contents vii
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii
Chapter 1 Registry Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
What Is “Registry Analysis”? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
What Is the Windows Registry? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Registry Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Chapter 2 tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Live Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Chapter 3 Case studies: the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Security and SAM Hives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
System Hive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Software Hive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
BCD Hive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
viii Contents
Chapter 4 Case studies: tracking User Activity . . . . . . . . . . . . . . . . . . . . . .159
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Tracking User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
PrefaCe ix
Preface
I am not an expert. I have never claimed to be an expert at anything
(at least not seriously done so), least of all an expert in forensic
analysis. I am not an expert in Windows Registry analysis. I am
simply, by profession, a responder and analyst with some work
and research experience in this area. I have also performed a
number of analysis engagements, in which information found
as part of Registry analysis has played a rather significant role. In
one such engagement, Registry analysis allowed me to provide
a compelling argument to demonstrate that files known to con-
tain credit card data had been neither found nor accessed by an
intruder, thereby reducing the subsequent costs (with respect to
notification and fines) to the customer. I have assisted with pro-
viding information to demonstrate that certain user accounts
had been used to access certain files. More importantly, I have
worked through the process of sharing what I have seen with oth-
ers, by writing this book and sharing what I’ve observed from a
practitioner’s perspective. I am not an expert.
When I sat down to write this book, I did so because even in
the year 2010, I am amazed at the number of analysts with whom
I speak that have no apparent idea of the forensic value of the
Windows Registry. Sometimes, when I talk to someone about
demonstrating that a user account was used to view files, I get a
blank stare. Or after talking about tracking USB devices across
systems and no one asks any questions, I get approached by a
dozen of the folks from the presentation, between the podium
and my exit. It seems that, in many instances, the “abandon
hope, all ye who enter here” warning that Microsoft displays on
its knowledge base articles regarding the Registry really do a good
job . . . of keeping the good guys out, as well as from “digging”
or investigating. Sadly, there’s nothing in that admonition that
states, “oh, yeah . . . the bad guys are all up in yer Registry!” As
a result, many analysts are consistently behind the power curve,
learning from the bad guys the new uses for the Registry (per-
sistence, data and executable storage, and so on), often months
after they have been established and used.
Windows systems make use of a number of different file types
that provide a great deal of value to incident responders and
forensic analysts alike, and the Registry is only one of them. Quite
a few file types include embedded time stamps that can be used
to add significant detail to time lines and may include other valu-
able information. I chose to focus on the Registry because of the
shear wealth of information available, if you know where to look
and you’re willing to do so. To make it easier for me to do this,
