W I N D O W S R E G I S T R Y F O R E N S I C S Advanced Digital Forensic Analysis of the Windows Registry Second Edition HARLAN CARVEY AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an imprint of Elsevier Syngress is an imprint of Elsevier 50 Hampshire Street, 5th Floor, Cambridge, MA 02139, USA Copyright © 2016, 2011 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress ISBN: 978-0-12-803291-6 For information on all Syngress publications visit our website at https://www.elsevier.com/ Publisher: Todd Green Acquisition Editor: Chris Katsaropoulos Editorial Project Manager: Anna Valutkevich Project Manager: Priya Kumaraguruparan Designer: Matthew Limbert To Terri and Kylie; you are my light and my foundation ABOUT THE AUTHOR Harlan Carvey is a senior information security researcher with the Dell SecureWorks Counter Threat Unit—Special Ops (CTU-SO) team, where his efforts are focused on targeted threat hunting, response, and research. He continues to maintain a pas- sion and focus in analyzing Windows systems, and in particular, the Windows Registry. Harlan is an accomplished author, public speaker, and open source tool author. He dabbles in other activities, including home brewing and horseback riding. As a result, he has become quite adept at backing up and parking a horse trailer. Harlan earned a bachelor’s degree in electrical engineering from the Virginia Military Institute and a master’s degree in the same discipline from the Naval Postgraduate School. He served in the United States Marine Corps, achieving the rank of captain before departing the service. He resides in Northern Virginia with his family. ABOUT THE TECHNICAL EDITOR Mari DeGrazia is a Senior Security Consultant with the Verizon RISK team, which provides Incident Response services on a global scale. During her tenure with Verizon, Mari has investigated high- profile breach cases and computer security incidents. Prior to Verizon, Mari worked civil and felony criminal cases as a digital forensics examiner which included testimony as an expert wit- ness. Mari has a Bachelor’s of Science in Computer Science from Hawaii Pacific University as well as various certificates related to Digital Forensics. She is currently pursuing her Masters of Science in Digital Forensics. PREFACE I am not an expert. I don’t know everything. In particular, I do not and have never claimed to be an expert at analyzing Windows systems nor in analyzing the Windows Registry. What I have done is taken all that stuff I’ve got written down over the years, in different places, as well as stuff I’ve found online, stuff I’ve found after run- ning malware in a VM and creating a timeline, etc., and put it into what I thought would be a logical structure. I then decided to call some of this stuff “chapters,” and I sent them to Mari to review and tech edit. She sent them back, I looked at her comments, decided that she was right in most cases, and sent the chapters into Syn- gress. They made it into a book. That’s a process, and it doesn’t make me an expert at anything, especially digital forensic analysis. When I wrote the first edition of this book, I mentioned in the preface that by 2010, I had met a good number of forensic analysts who had little apparent knowledge of the value that the Windows Registry can hold. As 2015 draws to a close and I am submitting the manuscript for the second edition of the book, the same holds true. Data within the Windows Registry can provide a great deal of context to investigations, illustrating user access to files, devices that have been attached to the system, applications that have been executed, and users that have been added to the system. Configuration settings maintained with the Registry will inform the analyst as to what they can expect to see on the system; did deleted files bypass the Recycle Bin, was the page file cleared at shutdown, and what is the effective audit policy for the system? I’ve used information from the Registry to determine that a user intentionally infected a system with a remote access Trojan (RAT) and then attempted to “clean up” after removing the malware. Prior to sharing my findings, the popular notion was that systems infected with that RAT were the result of spear phishing. Throughout this book, I have maintained a good deal of infor- mation specific to Windows XP and 2003 systems, because they are still out there. However, I’ve included more information regarding Windows 7, as well as 8, 8.1, and Windows 10 systems, where possible. There are things that we still don’t know about Windows 7 systems, and at the time of this writing, Windows 10 is still somewhat new. However, it’s likely that by the time the book is published and on the shelves, that holiday season would have resulted in a large number of newly purchased systems arriving with Windows 10 preinstalled. As such, there is still a great deal of research to be done, and even more to discover about Windows 10. xiv PREFACE Again, I am not an expert, and I don’t know it all; I have simply tried to include some of what I’ve encountered and experienced in this book. Intended Audience The intended audience for this book is anyone analyzing Win- dows systems. This includes, but is not limited to, law enforce- ment officers, military personnel, those in academia (students, professors, lab assistants, etc.), as well as investigators in full-time employment and consulting positions. IT admins and managers will find useful things in the chapters of this book. So…yeah…the intended audience is “everyone who performs incident response and/or digital forensic analysis of Windows sys- tems,” and this also includes anyone interested in doing so. Book Organization This book consists of five chapters following this preface. Those chapters are as follows: Chapter 1: Registry Analysis In the first chapter of the book, we go over some of the basic concepts of digital forensic analysis and then present some basic information about the Windows Registry; where it can be found in the file system, nomenclature, that sort of thing. This chapter may seem somewhat rudimentary to some, but it lays a foundation for the rest of the book. Over the years, and even today, I find that there are some examiners who try to jump into Registry analysis and go from “0 to 60” without that base foundational knowledge. This understanding of Registry analysis is critical, as it allows the examiner to be discerning of not only the tools used but also of the available data itself. Chapter 2: Processes and Tools In this chapter, we discuss some open source and freeware tools that are available to analysts. There are viewers and data extraction tools available, and it’s important for analysts to under- stand the strengths and weaknesses of each class of tool, as well as each individual tool, when using them. What you won’t find discussed in this chapter is the use of commercial analysis suites. The decision to go this route was PREFACE xv a conscious one, with two guiding reasons. The first is that it’s important for analysts to be aware of their analysis goals and what it is they’re trying to achieve, before using an automated tool set. The second reason is simply that I don’t have access to the commercial tools. And honestly, I don’t want access to them. But don’t misunderstand my reasoning as to why; it’s not the suites themselves that I have an issue with, it’s how most analysts use them. So, again, my goal with this book is to provide a resource from which analysts can build a solid foundation. Chapter 3: Analyzing the System Hives In this chapter, we discuss the Registry hives that pertain to the system as a whole (not specifically to the users). In this edition, I wanted to organize the keys and values discussed into “artifact categories,” in the hope of making it a bit clearer as to why an ana- lyst would be interested in the various keys and values in the first place. For example, one of the things I’ve tried to illustrate with respect to the value of Registry analysis is that even some of the stealthiest malware found needs to persist in some manner. In 2015, analysts from a computer security company published their findings with respect to extremely stealthy malware named “Moker”; they went into significant detail regarding how the malware itself was writ- ten to avoid detection and hamper analysis. However, in the com- ments section of their blog post, they mentioned that the malware persisted via the use of the “Run” key, which should make it trivial to detect something anomalous on the system. I’ve also tried to illustrate the value of Registry analysis by dis- cussing how system configuration settings within the Registry can impact an investigation, as well as how there are various bits of malware that leave traces in the Registry that have nothing to do with persistence (the values appear in some cases to be associated with the configuration of the malware). Chapter 4: Case Studies: User Hives In this chapter, we discuss the Registry hives specific to the user, and once again, present various Registry keys and values of interest to analysts broken down into artifact categories. There is a great deal of valuable information within the user’s hives that can have a significant impact on an investigation. I’ve had occasion to examine systems thought to have been infected with remote access Trojans (RATs) through the use of spear phishing or a “watering hole attack” (also referred to as a strategic web compromise), only xvi PREFACE to find that the user had purposely infected the system. In more than one instance, I’ve also used data derived from the user hives to illustrate that a user or administrator had attempted to “clean up” a malware infection. Chapter 5: RegRipper In the final chapter of the book, we specifically discuss the RegRipper tool itself. Over the years, I’m aware that there are a lot of folks who use RegRipper but largely from the perspective of downloading and running the GUI for the tool. I don’t think that what folks are aware of is that RegRipper can be a much more pow- erful tool, if you know a bit more about how it functions and how it can be used. My hope is that a few will not only develop a better understanding of the tool but also choose to open an editor and write their own plugins. Consider this chapter a “user manual” of sorts. ACKNOWLEDGMENTS I start by thanking my Lord and Savior Jesus Christ, for it is with His many wondrous blessings that this book is possible. A man’s achievements are not his alone when done with the right heart, and I know in my heart that for all of the things to come together that made this book possible is a gift and blessing for which I am forever grateful. I’d also like to thank my lovely wife for putting up with my nerdy ways and my excitement in digital forensic and Windows Registry analysis. I know that you don’t get as excited as I do when I see or achieve the things I do, but I’m thankful that you let me do those things. I’d like to thank Mari DeGrazia, my technical editor, for not only providing excellent insight and feedback throughout the process of writing this book but also for engaging in discussions with me to help sort of my thoughts about the new book out. Engagement and discussion is something sorely absent within the DFIR community, and I am thankful that folks like Mari and Corey Harrell are willing to engage in discussions relevant to our field. After all, this is the really the best way for us to grow as analysts. I’d be remiss if I didn’t thank Corey for his time and the effort he put into his autorip tool, as well as exchanges we had over artifact categories. Corey’s insight into incident response issues has been invaluable over the years. I’d also like to thank Eric Zimmerman for all of the great work he’s done in the area of Windows Registry analysis, as well as in cre- ating and updating his Registry Explorer tool. Eric has also produced and made other tools available. A special “thank you” goes to Cindy Murphy for providing some hive files from a Windows phone. The fact is that RegRipper does work with these hive files; the structure is identical to what’s found on Windows computers, but the keys and values, and their uses, clearly differ. More importantly, there are those within the “com- munity” who are reticent to share any data, even from VMs, for a wide variety of reasons, and here’s a member of law enforcement sharing data…simply because she can. Thank you, Cindy. Finally, I’d like to thank the Syngress staff for making this book possible.