An overview,
Registry is an important hierarchical database in the Microsoft Windows operating system and its applications. It is used to store the configuration information of the system and applications.
Registries have been around since Windows 3.0 introduced OLE technology. But it was in Windows 95 that the registry really became a regular feature for Windows users, and it continues to be used in subsequent operating systems. Windows NT, which followed, was the first operating system to make extensive use of registries at the system level. (Via Wikipedia)
Two, the composition of the registry structure
The hive registry consists of hive files composed of keys, subkeys, and values. The hive registry consists of hive files composed of keys, subkeys, and values. Regf /Windows Registry File Format Specification. Md at Master · Msuhanov /regf · GitHub
The structure of the registry is a tree structure, a key (key, or “item”) is a node, subkey (subkey) is the child node of this node, child keys are also keys. An attribute of a key is called a value, and a value consists of a name, type, data type, and data. A key can have multiple values, each with a different name. If the value name is empty, the value is the default value for the key.
You can open the registry editor to view its structure:
There are five primary keys, or primary branches, of the registry:
HKEY_CLASSES_ROOT
: contains all the information needed to launch the application, including the extension, the relationship between the application and the document, the driver name,DDE
andOLE
Information, classID
Numbers and ICONS for applications and documents.HKEY_CURRENT_USER
: contains configuration information about the current user, such as environment variables and desktop SettingsHKEY_LOCAL_MACHINE
: Includes information about the hardware and software installed on the computerHKEY_USERS
: contains all user configuration information about the computerHKEY_CURRENT_CONFIG
: Indicates the configuration information of the current hardware.
There are mainly the following types of registry data:
REG_SZ
: String type, text stringREG_BINARY
: Binary type, binary value of indefinite length, displayed in hexadecimal formatREG_DWORD
: a two-word, 32-bit binary value, displayed as an 8-bit hexadecimal valueREG_MULTI_SZ
: multi-string, a string with multiple text values separated by NUL and ending with two NULREG_EXPAND_SZ
: extensible string that contains environment variables
The time format in the registry is as follows:
FILETIME: 64-bit value representing the number of intervals in units of 100 nanoseconds (since January 1, 1601, UTC)
Unix Time: 32-bit value representing the number of seconds between (as of January 1, 1970, UTC).
DOS Date/Time: two 16-bit values detailing the local Time and Date.
Three, registry storage
The Registry is divided into multiple file stores in the Windows NT operating system. These files are called Registry Hives, and each file is called a configuration unit.
The main configuration units are:
SYSTEM
: The corresponding registry branch isHKEY_LOCAL_MACHINE\SYSTEM
The corresponding storage file is\Windows\System32\config\SYSTEM
Its function is to store information about computer hardware and systems.NTUSER.DAT
: The corresponding registry branch isHKEY_CURRENT_USER
Is stored in the user directory and is separated from other registry files. It is mainly used to store user configuration information.SAM
Branch is:HKEY_LOCAL_MACHINE\SAM
And stored in theC:\Windows\System32\config\SAM
The user password information is saved in the file.SECURITY
: Corresponding branchHKEY_LOCAL_MACHINE\SECURITY
And stored in theC:\Windows\System32\config\SECURITY
The security Settings are saved in the file.SOFTWARE
Branch is:HKEY_LOCAL_MACHINE\SOFTWARE
, the file is stored inC:\Windows\System32\config\SOFTWARE
Save the information about the software to be installed.
The main ways to modify the registry are as follows: 1. Use the registry editor provided by Windows: % Systemroot %\regedit.exe; 2. Using the reg command, you can add, delete, modify, and check the registry, import and export registry files (REG files), import and export, and load configuration units (RegHive). 3. Using reG files, users can export certain items of the registry into a REg file through the registry editor, or import a REG file to restore or modify the project.
In addition, to prevent Registry errors and corruption, Registry hives also include registered transaction log files and Registry backup files. The transaction log file name is the same as the registry file, in the same path, but with a different suffix. Transaction log file to. LOG is the suffix. If there are multiple LOG suffixes, LOG1 and LOG2 will be displayed. (To view these log files, turn on the folder option and uncheck hide protected operating system files.)
The backup files are in the \Windows\System32\config\RegBack\ path.
Hive writers store the data in a transaction log file before writing it to the primary file. If an error occurs (such as a system crash) while writing to the transaction log, the primary file is not affected. If an error occurs while writing to the master file, the data contained in the transaction log can be used to restore the master file.
Obtain and analyze Hive
To obtain Hive, create a copy of Registry Hives using the reg save command. (Execute at command prompt with administrator privileges)
C:\WINDOWS\ System32 >reg save HKLM \ Sam C:\ Sam C:\WINDOWS\system32>Copy the code
You can use RegRipper to analyze Hive. RegRipper is an open source tool written in Perl that extracts and parses various information (keys, values, and data) from the registry for forensic analysis.
RegRipper project address: github.com/keydet89/Re…
Open the RegRipper software, select the Hive file, set the report storage path, select the Profile, and click Rip It
It creates two files, a log file and a report file
You can open the SAM Hive analysis report file to view detailed information about users and user groups
Five, evidence of actual combat
Source: Cynet Emergency Response Challenge
Podrick said that a malicious USB device was inserted into his computer at lunchtime on February 3, 2020 (around 12:00 PM). He also mentioned that he saw one of his colleagues, Theon G, leaving his office with a USB device in his hand. Theon, however, claims he entered the office to visit Aria (who is in the same office as Podrick). When Aria was not there, he left the office. Podrick, who is not in the habit of locking screens, suspects Theon stole his data while he was away.
Tips: 1. Check Podrick’s computer. 2. Is there any USB device connected to Podrick’s PC on February 3, 2020? ; 3. Submit the Serial/UID of the suspicious USB device
Hive files. Hive files. Hive files
What these files represent has been covered in previous sections, except for amcache.hve, which is available on Windows 8 and later. It stores information about the execution program, which it logs when the user performs some action (such as running a host-based application, installing a new application, or running a portable application from an external device) : For example, the program creation time, modification time, name, description, program vendor and version, program execution path, and SHA-1 hash value. This information persists even after the program is removed from the system.
Back to the topic, we need to investigate the TRACES of USB use, based on the previous knowledge, we need to analyze the SYSTEM Hive file.
Open the RegRipper tool, load the provided SYSTEM file, and export the analysis report.
Open the report file to find registry information about USB devices by searching USBSTOR(this key(SYSTEM\CurrentControlSet\Enum\USBSTOR) stores product information and device ID of any USB device that has ever been connected to the SYSTEM).
After searching and screening, we finally found that a USB device was inserted into the computer from 2020 to 12:12:32, and the Serial/UID was 4C530000281008116284
References:
Registry Hives – Win32 apps | Microsoft Docs docs.microsoft.com/en-us/windo…
Registry – Wikipedia, free encyclopedia zh.wikipedia.org/wiki/%E6%B3…
Regf /Windows Registry File Format Specification. Md at Master · Msuhanov /regf · GitHub github.com/msuhanov/re…
FastIRCollector is a Windows forensics/information collection tool that collects everything you can think of, not just memory, registries, file information, etc. This experiment will introduce the Use of FastIR Collector in Windows 7.