Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
A Windows Registry Quick Reference

A Windows Registry Quick Reference

Ratings: (0)|Views: 11|Likes:
Published by lil_king420
This quick-reference contains the following sections:

1. Registry Hive Locations
2. Time Zone Information
3. Time Stamp Structure
4. Autorun Locations
5. MRU Lists
6. UserAssist
7. Wireless Networks
8. LAN Computers
9. USB Devices
10. Mounted Devices
11. Internet Explorer
12. Windows Passwords
13. P2P Clients
14. Instant Messaging Applications
This quick-reference contains the following sections:

1. Registry Hive Locations
2. Time Zone Information
3. Time Stamp Structure
4. Autorun Locations
5. MRU Lists
6. UserAssist
7. Wireless Networks
8. LAN Computers
9. USB Devices
10. Mounted Devices
11. Internet Explorer
12. Windows Passwords
13. P2P Clients
14. Instant Messaging Applications

More info:

Published by: lil_king420 on Sep 03, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/05/2014

pdf

text

original

 
 1
A Windows Registry Quick-Reference
for the Everyday Examiner
Derrick J. Farmer Burlington, Vermont
dfarmer03@gmail.com
Abstract
The Windows Registry is an important source of evidence for examiners in the field of computer and digital forensics. This quick-reference provides a brief guide to the mostcommonly examined areas of the Windows XP Registry. References to morecomprehensive sources of information on the Windows Registry are provided.
Introduction
This quick reference was created for examiners in the field of computer and digitalforensics. It can often be time consuming and inconvenient to drop everything and thumb through a 200 page book or scroll through a 200 page PDF for a quick referenceduring a Windows Registry analysis. This reference is by no means comprehensive, and an in-depth discussion of each topic is beyond the scope of this guide. All research wasconducted in a Windows XP environment.In addition, other established examination methods and precautions should be practiced when conducting a forensic analysis. If the exploration of the Windows Registry isdesired, please do so at your own risk.This quick-reference contains the following sections:1.
 
Registry Hive Locations2.
 
Time Zone Information3.
 
Time Stamp Structure4.
 
Autorun Locations5.
 
MRU Lists6.
 
UserAssist7.
 
Wireless Networks8.
 
LAN Computers9.
 
USB Devices10.
 
Mounted Devices11.
 
Internet Explorer 12.
 
Windows Passwords13.
 
P2P Clients14.
 
Instant Messaging Applications
 
 2
1. Registry Hive Locations
 
As seen in regedt32.exe, the left-hand pane (also referred to as the key pane) contains anorganized listing of what appear to be folders. The five most hierarchal folders are called hives and begin with .HKEY (an abbreviation for Handle to a Key). Although five hivescan be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts or aliases to branches within one of the two hives.
The system files that correspond to each Registry hive.
Registry Hive Location
HKEY_USERS \Documents and Settings\User Profile\NTUSER.DATHKEY_USERS/.DEFAULT \WINDOWS\system32\config\defaultHKEY_LOCAL_MACHINE/SAM \WINDOWS\system32\config\SAMHKEY_LOCAL_MACHINE/SECURITY \WINDOWS\system32\config\SECURITYHKEY_LOCAL_MACHINE/SOFTWARE \WINDOWS\system32\config\softwareHKEY_LOCAL_MACHINE/SYSTEM \WINDOWS\system32\config\system
 Registry hives and their supporting files.
Registry Hive Supporting files
HKEY_USERS ntuser.dat, ntuser.dat.logHKEY_USERS/.DEFAULT default, default.log, default.savHKEY_LOCAL_MACHINE/SAM sam, sam.log, sam.savHKEY_LOCAL_MACHINE/SECURITY security, security.log, security.savHKEY_LOCAL_MACHINE/SOFTWARE software, software.log, software.savHKEY_LOCAL_MACHINE/SYSTEM system, system.alt, system.log, system.sav
System file extensions associated with Registry files.
Registry Hive Description
 No extension A complete copy of the hive data.alt A backup copy of the SYSTEM hive, the only hive that associates a .alt extension..log A log file that records the changes to key and value entries in the hive..sav A copy of the hive file as it appeared during the initial installation of the OS.
 Registry files and their typical content.
Registry File Content
 NTUSER.DAT Protected storage for user, MRU lists, User’s preference settings.DEFAULT System settings set during initial install of operating system.SAM Security settings and user account management.SECURITY Security settings.SOFTWARE All installed programs on the system and their settings associated with them.SYSTEM System settings.
Note:
On Windows 98/ME machines the registry data is contained in two files,
 
 3system.dat and user.dat, located in \Windows. There is also a user.dat file specific toevery user profile in \Windows\profiles\user profile.For more information on Registry structure in general:
http://msdn2.microsoft.com/en-us/library/ms724182.aspx
2. Time Zone Information
The TZI key is a critical reference for supporting a consistent timeline of evidence.There are certain values contained within this key that can help determine time zone and daylight savings time (DST) information, which may be necessary in converting UTCtimestamps to local time. DST does not affect UTC time, but it can play a significant rollin determining local time.
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Values of Interest:
ActiveTimeBiasBiasDaylightBiasStandardBias
 
 Formulas of Interest:
UTC = Local Time + ActiveTimeBiasLocal Time = UTC – ActiveTimeBiasStandard Time = Bias + StandardBiasDaylight Time = Bias + DaylightBias
 
Note:
Decimal values in the data field represents time in minutes. For more informationon time zone
 
information structure
:
http://msdn2.microsoft.com/en-us/library/ms725481.aspx
 
3. Time Stamp Structure
All Registry keys contain a value associated with them called the “LastWrite” time,which is very similar to the last modified time of a file. This value is stored as aFILETIME structure and indicates when the Registry key was last modified. In referenceto the Microsoft Knowledge Base, A FILETIME structure represents the number of 100nanosecond intervals since January 1, 1601. The LastWrite time is updated when aregistry key has been created, modified, accessed, or deleted. Unfortunately, only theLastWrite time of a Registry key can be obtained, where as a LastWrite time for theRegistry value cannot. A brief example on deriving the LastWrite time from a Registrykey is demonstrated in section 6, UserAssist.Knowing the LastWrite time of a key could allow a forensic analyst to obtain theapproximate date or time an event occurred. And although one may know the last time aRegistry key was modified, it still remains difficult to determine what value was actuallychanged. Using the Registry as a log is most helpful in the correlation between the

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->