Table Of ContentW I N D O W S R E G I S T R Y
F O R E N S I C S
Advanced Digital Forensic
Analysis of the Windows
Registry
Second Edition
HARLAN CARVEY
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an imprint of Elsevier
Syngress is an imprint of Elsevier
50 Hampshire Street, 5th Floor, Cambridge, MA 02139, USA
Copyright © 2016, 2011 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or any information storage and retrieval system,
without permission in writing from the publisher. Details on how to seek permission, further
information about the Publisher’s permissions policies and our arrangements with organizations
such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our
website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the
Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience
broaden our understanding, changes in research methods, professional practices, or medical treatment
may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating
and using any information, methods, compounds, or experiments described herein. In using such
information or methods they should be mindful of their own safety and the safety of others, including
parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume
any liability for any injury and/or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas
contained in the material herein.
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress
ISBN: 978-0-12-803291-6
For information on all Syngress publications
visit our website at https://www.elsevier.com/
Publisher: Todd Green
Acquisition Editor: Chris Katsaropoulos
Editorial Project Manager: Anna Valutkevich
Project Manager: Priya Kumaraguruparan
Designer: Matthew Limbert
To Terri and Kylie; you are my light and my foundation
ABOUT THE AUTHOR
Harlan Carvey is a senior information security researcher
with the Dell SecureWorks Counter Threat Unit—Special Ops
(CTU-SO) team, where his efforts are focused on targeted threat
hunting, response, and research. He continues to maintain a pas-
sion and focus in analyzing Windows systems, and in particular,
the Windows Registry.
Harlan is an accomplished author, public speaker, and open
source tool author. He dabbles in other activities, including home
brewing and horseback riding. As a result, he has become quite
adept at backing up and parking a horse trailer.
Harlan earned a bachelor’s degree in electrical engineering
from the Virginia Military Institute and a master’s degree in the
same discipline from the Naval Postgraduate School. He served
in the United States Marine Corps, achieving the rank of captain
before departing the service. He resides in Northern Virginia with
his family.
ABOUT THE TECHNICAL EDITOR
Mari DeGrazia is a Senior Security Consultant with the Verizon
RISK team, which provides Incident Response services on a global
scale. During her tenure with Verizon, Mari has investigated high-
profile breach cases and computer security incidents. Prior to
Verizon, Mari worked civil and felony criminal cases as a digital
forensics examiner which included testimony as an expert wit-
ness. Mari has a Bachelor’s of Science in Computer Science from
Hawaii Pacific University as well as various certificates related to
Digital Forensics. She is currently pursuing her Masters of Science
in Digital Forensics.
PREFACE
I am not an expert. I don’t know everything. In particular, I do
not and have never claimed to be an expert at analyzing Windows
systems nor in analyzing the Windows Registry. What I have done is
taken all that stuff I’ve got written down over the years, in different
places, as well as stuff I’ve found online, stuff I’ve found after run-
ning malware in a VM and creating a timeline, etc., and put it into
what I thought would be a logical structure. I then decided to call
some of this stuff “chapters,” and I sent them to Mari to review and
tech edit. She sent them back, I looked at her comments, decided
that she was right in most cases, and sent the chapters into Syn-
gress. They made it into a book. That’s a process, and it doesn’t
make me an expert at anything, especially digital forensic analysis.
When I wrote the first edition of this book, I mentioned in the
preface that by 2010, I had met a good number of forensic analysts
who had little apparent knowledge of the value that the Windows
Registry can hold. As 2015 draws to a close and I am submitting
the manuscript for the second edition of the book, the same holds
true. Data within the Windows Registry can provide a great deal of
context to investigations, illustrating user access to files, devices
that have been attached to the system, applications that have
been executed, and users that have been added to the system.
Configuration settings maintained with the Registry will inform
the analyst as to what they can expect to see on the system; did
deleted files bypass the Recycle Bin, was the page file cleared at
shutdown, and what is the effective audit policy for the system?
I’ve used information from the Registry to determine that a user
intentionally infected a system with a remote access Trojan (RAT)
and then attempted to “clean up” after removing the malware.
Prior to sharing my findings, the popular notion was that systems
infected with that RAT were the result of spear phishing.
Throughout this book, I have maintained a good deal of infor-
mation specific to Windows XP and 2003 systems, because they
are still out there. However, I’ve included more information
regarding Windows 7, as well as 8, 8.1, and Windows 10 systems,
where possible. There are things that we still don’t know about
Windows 7 systems, and at the time of this writing, Windows 10 is
still somewhat new. However, it’s likely that by the time the book
is published and on the shelves, that holiday season would have
resulted in a large number of newly purchased systems arriving
with Windows 10 preinstalled. As such, there is still a great deal of
research to be done, and even more to discover about Windows 10.
xiv PREFACE
Again, I am not an expert, and I don’t know it all; I have simply
tried to include some of what I’ve encountered and experienced
in this book.
Intended Audience
The intended audience for this book is anyone analyzing Win-
dows systems. This includes, but is not limited to, law enforce-
ment officers, military personnel, those in academia (students,
professors, lab assistants, etc.), as well as investigators in full-time
employment and consulting positions. IT admins and managers
will find useful things in the chapters of this book.
So…yeah…the intended audience is “everyone who performs
incident response and/or digital forensic analysis of Windows sys-
tems,” and this also includes anyone interested in doing so.
Book Organization
This book consists of five chapters following this preface. Those
chapters are as follows:
Chapter 1: Registry Analysis
In the first chapter of the book, we go over some of the basic
concepts of digital forensic analysis and then present some basic
information about the Windows Registry; where it can be found in
the file system, nomenclature, that sort of thing. This chapter may
seem somewhat rudimentary to some, but it lays a foundation for
the rest of the book. Over the years, and even today, I find that
there are some examiners who try to jump into Registry analysis
and go from “0 to 60” without that base foundational knowledge.
This understanding of Registry analysis is critical, as it allows the
examiner to be discerning of not only the tools used but also of the
available data itself.
Chapter 2: Processes and Tools
In this chapter, we discuss some open source and freeware
tools that are available to analysts. There are viewers and data
extraction tools available, and it’s important for analysts to under-
stand the strengths and weaknesses of each class of tool, as well as
each individual tool, when using them.
What you won’t find discussed in this chapter is the use of
commercial analysis suites. The decision to go this route was
PREFACE xv
a conscious one, with two guiding reasons. The first is that it’s
important for analysts to be aware of their analysis goals and what
it is they’re trying to achieve, before using an automated tool set.
The second reason is simply that I don’t have access to the
commercial tools. And honestly, I don’t want access to them. But
don’t misunderstand my reasoning as to why; it’s not the suites
themselves that I have an issue with, it’s how most analysts use
them. So, again, my goal with this book is to provide a resource
from which analysts can build a solid foundation.
Chapter 3: Analyzing the System Hives
In this chapter, we discuss the Registry hives that pertain to the
system as a whole (not specifically to the users). In this edition,
I wanted to organize the keys and values discussed into “artifact
categories,” in the hope of making it a bit clearer as to why an ana-
lyst would be interested in the various keys and values in the first
place.
For example, one of the things I’ve tried to illustrate with respect
to the value of Registry analysis is that even some of the stealthiest
malware found needs to persist in some manner. In 2015, analysts
from a computer security company published their findings with
respect to extremely stealthy malware named “Moker”; they went
into significant detail regarding how the malware itself was writ-
ten to avoid detection and hamper analysis. However, in the com-
ments section of their blog post, they mentioned that the malware
persisted via the use of the “Run” key, which should make it trivial
to detect something anomalous on the system.
I’ve also tried to illustrate the value of Registry analysis by dis-
cussing how system configuration settings within the Registry can
impact an investigation, as well as how there are various bits of
malware that leave traces in the Registry that have nothing to do
with persistence (the values appear in some cases to be associated
with the configuration of the malware).
Chapter 4: Case Studies: User Hives
In this chapter, we discuss the Registry hives specific to the
user, and once again, present various Registry keys and values of
interest to analysts broken down into artifact categories. There is a
great deal of valuable information within the user’s hives that can
have a significant impact on an investigation. I’ve had occasion to
examine systems thought to have been infected with remote access
Trojans (RATs) through the use of spear phishing or a “watering
hole attack” (also referred to as a strategic web compromise), only
xvi PREFACE
to find that the user had purposely infected the system. In more
than one instance, I’ve also used data derived from the user hives
to illustrate that a user or administrator had attempted to “clean
up” a malware infection.
Chapter 5: RegRipper
In the final chapter of the book, we specifically discuss the
RegRipper tool itself. Over the years, I’m aware that there are a
lot of folks who use RegRipper but largely from the perspective of
downloading and running the GUI for the tool. I don’t think that
what folks are aware of is that RegRipper can be a much more pow-
erful tool, if you know a bit more about how it functions and how
it can be used. My hope is that a few will not only develop a better
understanding of the tool but also choose to open an editor and
write their own plugins. Consider this chapter a “user manual” of
sorts.
ACKNOWLEDGMENTS
I start by thanking my Lord and Savior Jesus Christ, for it is with
His many wondrous blessings that this book is possible. A man’s
achievements are not his alone when done with the right heart,
and I know in my heart that for all of the things to come together
that made this book possible is a gift and blessing for which I am
forever grateful.
I’d also like to thank my lovely wife for putting up with my
nerdy ways and my excitement in digital forensic and Windows
Registry analysis. I know that you don’t get as excited as I do when
I see or achieve the things I do, but I’m thankful that you let me do
those things.
I’d like to thank Mari DeGrazia, my technical editor, for not only
providing excellent insight and feedback throughout the process of
writing this book but also for engaging in discussions with me to
help sort of my thoughts about the new book out. Engagement and
discussion is something sorely absent within the DFIR community,
and I am thankful that folks like Mari and Corey Harrell are willing
to engage in discussions relevant to our field. After all, this is the
really the best way for us to grow as analysts.
I’d be remiss if I didn’t thank Corey for his time and the effort he
put into his autorip tool, as well as exchanges we had over artifact
categories. Corey’s insight into incident response issues has been
invaluable over the years.
I’d also like to thank Eric Zimmerman for all of the great work
he’s done in the area of Windows Registry analysis, as well as in cre-
ating and updating his Registry Explorer tool. Eric has also produced
and made other tools available.
A special “thank you” goes to Cindy Murphy for providing some
hive files from a Windows phone. The fact is that RegRipper does
work with these hive files; the structure is identical to what’s found
on Windows computers, but the keys and values, and their uses,
clearly differ. More importantly, there are those within the “com-
munity” who are reticent to share any data, even from VMs, for a
wide variety of reasons, and here’s a member of law enforcement
sharing data…simply because she can. Thank you, Cindy.
Finally, I’d like to thank the Syngress staff for making this book
possible.
