Windows Forensics

Windows Registry Analysis 101

by Chirath De Alwis

Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence [1].  When considering computer forensics, registry forensics plays a huge role because of the amount of the data that is stored on the registry and the importance of the stored data. The extraction of this data is therefore highly important when investigating. Due to the limitation of tools that can extract forensically valuable data from registry files, investigators have to extract it manually. Because of the registry file format (.REG), extracting information is a challenging task for investigators. Registry files normally store data under unique values called “Keys”. One challenge that investigators must face is the lack of knowledge about Registry Keys and the data which stored under those Keys. This article provide an overview of registry file acquisition, registry structure and common issues in registry analysis.

Registry File Acquisition

The Windows registry is a central hierarchical database intended to store information that is necessary to configure the system for one or more users, applications or hardware devices [2]. There are four main registry files: System, Software, Security and SAM registry. Each registry file contains different information under keywords. The structure of the Windows registry is similar to file system directories. Registry files are located at the “C:drive/windows/system32/config/”  file path. Each registry contains lots of forensically valuable information.

Investigating the Windows registry is quite a difficult task, because in order to investigate it properly, the registry needs to be extracted from the computer. Extraction of the registry file is not just a normal copy and paste function. Since registry files store all the configuration information of the computer, it automatically updates every second. In order to extract Windows registry files from the computer, investigators have to use third-party software such as FTK Imager [3], EnCase Forensic [4]  or similar tools. FTK Imager is oneo fthe most widely used tool for this task. Apart from using third-party software, some reasearch has been carried out to demonstrate how to extract registry information from Windows CE memory images [9] and volatile memory (RAM) [10].

AccessData FTK Imager

AccessData FTK (Forensic Tool Kit) Imager is the most widely used standalone disk imaging program to extract the Windows registry from computer. Access Data FTK Imager 3.2.0.0 basically scans the hard drive in order to identify various pieces of information. This tool can be used for a variety of processes when extracting the Windows registry. These include: 

  • Physical Drive – Extract from a hard drive
  • Logical Drive – Extract from a partition
  • Image File – Extract from an image file
  • Contents of a Folder – Logical file-level analysis only: excludes deleted files and unallocated space 

The steps to extract registry files from Access Data FTK Imager 3.2.0.0 are as follows.

Step 1 – Open “Access Data FTK Imager 3.2.0.0”.

Figure 1 : Main Window – Access Data FTK Imager 3.2.0.0

Step 2 – Click on “Add Evidence Item” button.

Figure 2 : Select Source Window – Access Data FTK Imager 3.2.0.0

Step 3 – Select “Logical Drive” radio button.

Figure 3 : Select Source Window – Access Data FTK Imager 3.2.0.0

Step 4 – Select source drive.

Figure 4 : Select Drive Window – Access Data FTK Imager 3.2.0.0

Step 5 – Scan “MFT” by expanding “Evidence Tree”.

Figure 5 : FS Progress Window – Access Data FTK Imager 3.2.0.0

Step 6 – Go to windows/system32/config/.

Figure 6 : Extracted Information Window – Access Data FTK Imager 3.2.0.0

Step 7 – Export registry file by clicking “Export Files” button.

Figure 7 : Export File Pop Up Window – Access Data FTK Imager 3.2.0.0

Step 8 – Select the destination folder.

Figure 8 : Browse For Folder Window – Access Data FTK Imager 3.2.0.0

Registry Structure

The structure of the Windows registry is similar to file system directories. Both the Windows registry and the file system are organized in a tree structure [5]. The Windows registry stores all configuration settings as keys [6]. The registry updates its stored configurations according to the changes which are made while hardware and software are being used. In Windows XP, 2000 and 2003 (Windows NT based operating systems) the registry files are stored in the configuration folder located at Windows\System32\Config folder.

As mentioned above, the structure of the Windows registry is similar to Windows folders and files. Each main folder is known as a “Hive”. Hives are made of a combination of sub folders, called “Keys”. These Keys contain Sub Keys with configuration information.

Figure 9 : Registry Structure (c) Help.comodo.com, 2019

The figure above shows a Registry Editor window of a computer. It shows the internal structure of the registry. A Hive is a logical group of keys, sub keys and values in the registry that has a set of supporting files containing backups of its data [7]. There are five main Hives:

  • HKEY_CLASSES_ROOT (HKCR)
  • HKEY_USERS (HKU)
  • HKEY_CURRENT_USER (HKCU)
  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CURRENT_CONFIG (HKCC)

Registry Hive and its supporting files are unique to each other. According to Microsoft, the hives and supporting files are [7]:

  • HKEY_CURRENT_CONFIG – System, System.alt, System.log, System.sav
  • HKEY_CURRENT_USER – Ntuser.dat, Ntuser.dat.log
  • HKEY_LOCAL_MACHINE\SAM – Sam, Sam.log, Sam.sav
  • HKEY_LOCAL_MACHINE\Security – Security, Security.log, Security.sav
  • HKEY_LOCAL_MACHINE\Software – Software, Software.log, Software.sav
  • HKEY_LOCAL_MACHINE\System – System, System.alt, System.log, System.sav
  • HKEY_USER\.DEFAULT – Default, Default.log, Default.sav

In the HKEY_LOCAL_MACHINE Hive, there are five main Keys. Each Key contains Sub Keys with configuration information. These are:

  • HARDWARE
  • SAM (Security Accounts Manager)
  • SECURITY
  • SOFTWARE
  • SYSTEM

Figure 10 : The files in the Windows\System32\Config folder and their associations with the hives (c) Help.comodo.com, 2019

Figure 10 shows the information contained in the Software, System, SAM, Security, Default and Userdiff files and their respective associated file names.

Registry hive files are allocated in 4096-byte blocks starting with a header, or base block, and continuing with a series of hive bin blocks. Each hive bin (HBIN) is typically 4096 bytes [5].  

Issues in Registry Analysis

There are few main issues that investigators have to face when analyzing registry files.

  • Data Completeness – The amount of information required for the investigation will depend on the type of the investigation. Some investigations require more information than others. Because of this, investigators should ensure that all the data is present and complete. If this is not the case, the investigation may take extra time to complete and therefore be more costly. Missing Data – Missing data reduces the accuracy of the investigation. Missing data can be sorted into three categories of randomness [8]:
  • Missing completely at random (MCAR)
  • Missing at random (MAR)
  • Missing not at random (MNAR)
  • Extracting Data – At present there is no technique to view registry files in real time. With the currently available technology, investigators can only take an image of a registry file. The disadvantage of this is investigators cannot collect further information after they have captured the registry file. 
  • Lack of Knowledge About Keys – Registry files store data with a unique key. Some investigators do not know all the keys which are stored in the registry files. This can lead to missing a lot of information. There are also some instances in which it is not possible to find out about certain keys and stored information.
  • Registry File Format – Registry files are stored in the “C:drive/windows/system32/config/” file path and they must be ripped and converted into a readable format before being used in an investigation.

References

  1. Vacca, J. (2005). Computer Forensics: Computer Crime Scene Investigation. 2nd ed.
  2. Carvey, H. (2011). Windows Registry Forensics. Burlington: Elsevier Science.
  3. AccessData. (2019). FTK Imager. [online]. Available at: https://accessdata.com/product-download/ftk-imager-version-4.2.0. [Accessed 20 March 2019].
  4. Guidence Software. (2019). Encase Forensics. [online]. Available at: https://www.guidancesoftware.com/encase-forensic. [Accessed 21 March 2019].
  5. D. Morgan, T. (2008). Recovering deleted data from the Windows registry. Science Direct, [online] pp.S35, S36. Available at: http://www.sciencedirect.com [Accessed 20 March 2019].
  6. Help.comodo.com. (2019). Windows Registry – Overview, Structure, Benefits, Registry Cleaner| Cloud Scanner Version 2.0. [online] Available at: https://help.comodo.com/topic-73-1-147-845-.html [Accessed 23 March 2019].
  7. Msdn.microsoft.com. (2019). Registry Hives (Windows). [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx [Accessed 20 March 2019].
  8. Gliklich, R., Dreyer, N. and Leavy, M. (2014). Analysis, Interpretation, and Reporting of Registry Data To Evaluate Outcomes. Agency for Healthcare Research and Quality (US). [online] Available at: http://www.ncbi.nlm.nih.gov/books/NBK208602/ [Accessed 20 March 2019].
  9. Yang.S, et.la. (2013). A Method on Extracting Registry Information from Windows CE Memory Images. [online]. Available at: https://ieeexplore.ieee.org/document/6835701. [Accessed 25 March 2019].
  10. Zhang.S, Wang.L, Zhang.L. (2011). Extracting windows registry information from physical memory. [online]. Available at: https://ieeexplore.ieee.org/document/5764089. [Accessed 25 March 2019].

About The Author

Chirath De Alwis is an information security professional with more than four years’ experience in Information Security domain. He holds BEng (Hons), PGdip and eight professional certifications in cyber security and also reading for his MSc specializing in Cyber Security. Currently, Chirath is involved in vulnerability management, Threat Intelligence, incident handling and digital forensics activities in Sri Lankan cyberspace. You can contact him on chirathdealwis@gmail.com.

About Scar de Courcier

Scar de Courcier is Senior Editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,225 other followers

%d bloggers like this: