If you can see this check that

Main Page

Windows Registry Forensics


Windows Registry

User:
Password:

Objectives

This lab will introduce you to the structure of the Windows Registry. You will than explore the registry offline, by parsing the physical files that constitute the main elements of the registry.

The Microsoft Windows registry is the core repository for both operating system and application-specific settings. Information pertaining to the configuration and customization of Windows is stored in a series of hierarchical structures, accessible through a common interface. For the computer investigator, the registry provides a rich source of information on computer settings and activities ranging from identifying installed software to finding website passwords.

The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista and 7) family of operating systems.

The RegRipper is a windows based application that provides command line and GUI support to view the information. This tool is not installed on CAINE by default, but the teaching team have done this for you manually.

Question 1: Registry Post-Mortem

Before starting this tutorial you need to install a script called /home/caine/decodelnk.pl. This is actually taken from revealertoolkit, and is a program called lnk-parse-1.0.pl, but we have renamed it decodelnk.pl to try and be consistent with the script names we are using.

Press the button below to install /home/caine/decodelnk.pl.

Tests - not attempted
Install decodelnk.pl UNTESTED

Question 2: Exploring the Registry Post-Mortem

Regripper is a set of perl scripts that will parse the registry and output critical information. In this activity, we will parse the main files that constitute the registry.

To access the registry file, first you have to mount the dd image or use the ifind and icat commands to extract files from the dd image.

To mount the image execute following command:

	sudo mount /images/CBarrow.dd /mnt -o,offset=32256,loop

Search for all instances of NTUSER.DAT (case sensitive) using the find command, searching through the new mount at /mnt. Save this data to /home/caine/ntuser.out. Look at the users found...

Tests - not attempted
ntuser.out ok UNTESTED

Now we need to interrogate Clyde's NTUSER.DAT file to discover what settings it contains. Make a directory called evidence in /home/caine and store the analysis in that directory.

The rr2.8 install requires a small change to make it work properly. You have to edit the rip.pl file first. Do

sudo nano /usr/local/rr/rip.pl
and edit the file at line 24 (just after "use strict"). Insert a new line
use lib '/usr/local/rr';

Use the following command to interrogate and output the settings:

  /usr/local/rr/rip.pl -r /mnt/Documents\ and\ Settings/Clyde/NTUSER.DAT -f ntuser > /home/caine/evidence/NTuserDataOut.csv 

Get the SAM information:

  /usr/local/rr/rip.pl -r /mnt/WINDOWS/system32/config/SAM -f sam > /home/caine/evidence/SAMOut.csv 

Gets system information:

  /usr/local/rr/rip.pl -r /mnt/WINDOWS/system32/config/system -f system > /home/caine/evidence/systemOut.csv

Get the Software Information (can take a few minutes):

  /usr/local/rr/rip.pl -r /mnt/WINDOWS/system32/config/software -f software > /home/caine/evidence/SoftwareOut.csv
Tests - not attempted
/home/caine/evidence exists UNTESTED
NTuserDataOut looks ok UNTESTED
SAMOut looks ok UNTESTED
systemOut looks ok UNTESTED
SoftwareOut looks ok UNTESTED

To answer the following question you have to find the information in the files you have just created. You can open the CSV files with Gnumeric Spreadsheet located in Caine under Menu/Office. Or you can open it with less, or search with grep.

Who is the registered owner of this PC? This is case and space sensitive.

Tests - not attempted
Registered owner UNTESTED

When was the OS installed? Write it in the format "Mon Jan 11 00:00:00 2012 (BST)".

Tests - not attempted
Install time UNTESTED

What is Clyde's SID?

Tests - not attempted
SID ok UNTESTED

How many web browsers are installed? Possible web browsers include "Internet Explorer", "chrome", "firefox", and "safari".

Tests - not attempted
evidence file still looks ok UNTESTED
Web Browsers installed UNTESTED

What is the NukeOnDelete value?

What does this value mean?

Tests - not attempted
NukeOnDelete value UNTESTED
NukeOnDelete meaning UNTESTED

What is the most recently opened doc file, and what doc file was opened before that one?

Order OpenedFilename
First Most recently opened
Second Most recently opened
Tests - not attempted
evidence file still looks ok UNTESTED
Most recently opened UNTESTED
Second Most recently opened UNTESTED

These filenames in the registry which indicate recently opened files are the names of links. As these filenames are associated with the NTUSER.DAT file for Clyde, you can find the associated link file (.lnk) for Clyde in "Documents and Settings/Clyde/Recent/FILENAME.lnk" (where FILENAME is the filename found in the registry). LNK files can be analysed using "decodelnk.pl". So if the link was "myfile.doc", you can extract the actual file it refers to (the Base Path) using decodelnk.pl by doing the following:

fls -rpo 63 /images/CBarrow.dd
And looking for "Documents and Settings/Clyde/Recent/FILENAME.lnk". Take the inode and put it in place of THEINODE and execute:
icat -o 63 /images/CBarrow.dd THEINODE > thelink.lnk 
/home/caine/decodelnk.pl thelink.lnk

Use decodelnk.pl to identify the Base Path of the filename link you identified in the previous question as the first most recently opened doc file.

Tests - not attempted
evidence file still looks ok UNTESTED
Base Path UNTESTED

What are the most recently opened programs? Note that the registry key is ComDlg32, and examine the first MRUList shown.

Order OpenedFilename
First Most recently opened
Second Most recently opened

Tests - not attempted
Most recent ok UNTESTED
Second Most recent ok UNTESTED

What are the most commonly updated URLs typed into Internet Explorer? Note if the URL has control characters in it (characters starting with '\' such as '\@'), replace those characters with a simple space character. This question is space-sensitive!

Order updatedFilename
First Most recently updated
Second Most recently updated
Tests - not attempted
Most recent ok UNTESTED
Second Most recent ok UNTESTED

What are the last and second-last opened jpg file links?

Order OpenedFilename
First Most recently opened
Second Most recently opened

Tests - not attempted
evidence file still looks ok UNTESTED
Most recently opened UNTESTED
Second Most recently opened UNTESTED

How many removable drives (i.e. floppy drives, removable drives, and dvd drives) have been connected to the PC being analysed. If a device has been connected more than once with different volume ids count each id as a seperate connection).
Number of Floppy drives connected
Number of Removable drives connected
Number of DVD drives connected

Tests - not attempted
Number of Floppy drives UNTESTED
Number of Removable drives UNTESTED
Number of DVD drives UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2014 Gordon Russell. All rights reserved.