Digital Forensics, Part 5: Analyzing the Windows Registry for Evidence

Digital Forensics

Although nearly all Microsoft Windows users are aware that their system has a registry, few understand what it does, and even fewer understand how to manipulate it for their purposes. As a forensic analyst, the registry can be a treasure trove of evidence of what, where, when, and how something occurred on the system.

In this article, I want to help you to understand how the Windows registry works and what evidence it leaves behind when someone uses the system for good or ill.

What Is the Registry?

The registry is a database of stored configuration information about the users, hardware, and software on a Windows system. Although the registry was designed to configure the system, to do so, it tracks such a plethora of information about the user’s activities, the devices connected to system, what software was used and when, etc. All of this can be useful for the forensic investigator in tracking the who, what, where, and when of a forensic investigation. The key is just knowing where to look.

Hives

Inside the registry, there are root folders. These root folders are referred to as hives. There are five (5) registry hives.

  • HKEY_USERS: contains all the loaded user profiles

  • HKEYCURRENT_USER: profile of the currently logged-on user

  • HKEYCLASSES_ROOT: configuration information on the application used to open files

  • HKEYCURRENT_CONFIG: hardware profile of the system at startup

  • HKEYLOCAL_MACHINE: configuration information including hardware and software settings

Registry Structure

The registry is structured very similarly to the Windows directory/subdirectory structure. You have the five root keys or hives and then subkeys. In some cases, you have sub-subkeys. These subkeys then have descriptions and values that are displayed in the contents pane. Very often, the values are simply 0 or 1, meaning on or off, but also can contain more complex information usually displayed in hexadecimal.

Accessing the Registry

On our own system—not in a forensic mode—we can access the registry by using the regedit utility built into Windows. Simply type regedit in the search window and then click on it to open the registry editor like that below.

Information in the Registry with Forensic Value

As a forensic investigator, the registry can prove to be a treasure trove of information on who, what, where, and when something took place on a system that can directly link the perpetrator to the actions being called into question.

Information that can be found in the registry includes:

  • Users and the time they last used the system

  • Most recently used software

  • Any devices mounted to the system including unique identifiers of flash drives, hard drives, phones, tablets, etc.

  • When the system connected to a specific wireless access point

  • What and when files were accessed

  • A list any searches done on the system

  • And much, much more

Wireless Evidence in the Registry

Many hackers crack a local wireless access point and use it for their intrusions. In this way, if the IP address is traced, it will lead back to the neighbor’s or other wireless AP and not them.

For example, back in January 2012, an Anonymous member, John Borrell III, hacked into the computer systems of the Salt Lake City police department and the Utah Chiefs of Police. The FBI was called in to investigate and they traced the hacker back to the IP address of Blessed Sacrament Church’s Wi-Fi AP in Toledo, Ohio. The hacker had apparently cracked the password of the church’s wireless AP and was using it to hack “anonymously” on the Internet.

Eventually, the FBI was able to find the suspect through various investigation techniques, mostly low-tech, exhaustive, detective work. It helped that John Borrell had bragged on Twitter of his success as a hacker. Eventually, Mr. Borrell was convicted and sentenced to two years in Federal prison.

When the FBI tracked down Mr. Borrell and seized his computer, they were able to prove he had been connected to the church AP by examining his registry. The forensic investigator simply had to look in the registry at this location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

There, you will find a list of GUIDs of wireless access points the machine has been connected to. When you click on one, it reveals information including the SSID name and the date last connected in hexadecimal. So, although Mr. Borrell initially denied his involvement with this hack, this evidence was conclusive and he eventually plead guilty.

You can see in this screenshot below showing the perpetrator had connected to the “HolidayInnColumbia” SSID in November 2014.

The RecentDocs Key

The Windows registry tracks so much information about the user’s activities. In most cases, these registry keys are designed to make Windows run more efficiently and smoothly. As a forensic investigator, these keys are like a road map of the activities of the user or attacker.

One of those keys is the “RecentDocs” key. It tracks the most recent documents used or opened on the system by file extension. It can be found at:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

So, for instance, the most recently used Word documents would be found under .doc or the .docx extension depending upon the version of Word they were created in (each key can hold up to the last 10 documents). If we go to the .docx extension, we see the last 10 Word documents listed under this key.

When we click on one of those keys, it reveals information about the document as seen below. We can view the document data in both hex, to the left, and ASCII, to the right. In this case, it show that this document was a Metasploit course outline.

In some cases, an attacker will upload a .tar file, so that is a good place to look for breach evidence. In general, you won’t see a .tar file extension on a Windows machine, so the presence of an entry here would be something that needs further investigation. Check the files in the .tar key and see what they might reveal about the attack or attacker.

In civil or policy violation investigations, evidence might be found in the various graphic file extensions such as .jpg, .gif, or .png.

TypedURLs Key

When the user types a URL in Internet Explorer, this value is stored in the registry at:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

When we open that key in the registry, it lists the last URLs that the user visited with IE. This could reveal the source of malicious malware that was used in the breach, or in civil or policy violation types of investigations, may reveal what the user was looking for/at.

The values will run from urI1 (the most recent) to urI25 (the oldest).

IP Addresses

The registry also tracks the IP addresses of the user interfaces. Note that there may be numerous interfaces and this registry key tracks each interface’s IP address and related information.

HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\Parameters\Interfaces

As we can see below, we can find the IP address assigned to the interface, the subnet mask, and the time when the DHCP server leased the IP. In this way, we can tell whether the suspect was using that particular IP at the time of the intrusion or crime.

Start Up Locations in the Registry

As a forensic investigator, we often need to find what applications or services were set to start when the system starts. Malware is often set to start each time the system restarts to keep the attacker connected. This information can be located in the registry in literally tens of locations. We will look at a just a few of the most commonly set keys.

Probably the most used location is:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Any software/locations designated in these subkeys will start every time the system starts. Rootkits and other malicious software can often be found here and they will start each time the system starts.

RunOnce Startup

If the hacker just wanted the software to run once at start up, the subkey may be set here.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Start Up Services

The key below lists all the services that set to start at system startup. If the key is set to 2, the service starts automatically; if it is set to 3, the service must be started manually; and if the key is set to 4, the service is disabled.

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Start Legacy Applications

When legacy 16-bit applications are run, the program listed is run at:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW

Start When a Particular User Logs On

In the following key, the values are run when the specific user logs in.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Storage Artifacts in the Registry

Often, the suspect will use a Flash drive or hard drive for their malicious activities and then remove them so as not to leave any evidence. The skilled forensic investigator, though, can still find traces of evidence of those storage devices within the registry, if they know where to look.

The registry on a Windows system varies a bit from version to version. A skilled, professional digital forensic investigator needs to be able to work with nearly all versions of Windows and other operating systems. Since Windows 7 is still the most widely used operating system, by far, I will be demonstrating on it. Keep in mind, though, that this will vary slightly between versions.

USB Storage Devices

Imagine a case where we suspect that someone installed a keylogger or removed confidential information with a USB drive. How would we find evidence that a USB storage device was inserted and used? To find evidence of USB storage devices, we want to look at the following key.

HK_Local_Machine\System\ControlSet00x\Enum\USBSTOR

In this key, we will find evidence of any USB storage device that has ever been connected to this system. Expand USBSTOR to see a listing of every USB storage device ever connected to this system.

 

In the screenshot above, I have circled one suspicious looking USB device. When we expand it, it reveals a unique identifier for that device. By clicking on this identifier, we can find much more information about the device.

As you can see in the screenshot above, when we click on the USB storage identifier, it reveals in the right-hand window the Global Unique Identifier (GUID), the friendly name, and the hardware ID, among other things. This may be exactly the evidence we need to tie the suspect to their activity on this system!

Mounted Devices

If the suspect used any hardware device that must be mounted to either read or write data (CD-ROM, DVD, hard drive, flash drive, etc.), the registry will record the mounted device. This information is stored at:

HKEY_LOCAL_MACHINE\System\MountedDevices

As you can see below, when we click on this key, it provides us a long list of every device ever mounted on that machine.

If we need further information on any of those mounted devices, we can simply click on it, and it will open a small app that will enable us to read the data in ASCII. As you can see, this device was an IDE CD-ROM manufactured by Teac.

If there is not a TEAC CD_ROM on the system, the forensic investigator now knows that they need to find this piece of hardware to find further evidence of the crime.

The registry is a depository of volumes of information on what happened on a Windows system, and by learning our way around it, we can reconstruct the elements of a crime that it was used for.