We can identify records for registry key creation and deletion as well as registry value writes and deletes. The relevant key path, value name, data type, and data are present within log entries. See the appendix for transaction log record format details.
Although most data present in registry transaction logs is not particularly valuable for intrusion investigations, there are some cases where the data can prove useful. In particular, we found that scheduled task creation and deletion use registry transactions. By parsing registry transaction logs we were able to find evidence of attacker created scheduled tasks on live systems. This data was not available in any other location.
The task scheduler has been observed using transactional registry operations on Windows Vista through Windows 8. It is not known why Windows 10 behaves differently. Figure 5: Creating a scheduled task to run malware.
iqegumybiwyf.ml | Windows Registry Forensics | | Harlan Carvey | Boeken
Figure 6: A registry entry created by the task scheduler. Because the scheduled task was written to the registry using transacted registry operations, a copy of the data is available in the transactional registry transaction log. The data can remain in the log well after the scheduled task has been removed from the system. Figure 7: The malicious scheduled task in the TxR log. In addition to transaction logs, we also examined methods for the recovery of deleted entries from registry hive files.
We started with an in-depth analysis of some common techniques used by forensic tools today in the hopes of identifying a more accurate approach. Deleted entry recovery requires parsing registry cells in hive files. This is relatively straightforward. FireEye has a number of tools that can read raw registry hive files and parse relevant keys, values, and data from cells.
Recovering deleted data is more complex because some information is lost when elements are deleted.
A more sophisticated approach is required to deal with the resulting ambiguity. When parsing cells there is only one common field: the cell size. Some cell types contain magic number identifiers, which can help determine their type. However, other cell types, such as data and value lists, do not have identifiers; their types must be inferred by following references from other cells. Additionally, the size of data within a cell can differ from the cell size.
Depending on the cell type it may be necessary to leverage information from referencing cells to determine the data size. When a registry element is deleted its cells are marked as unallocated. Because the cells are not immediately overwritten, deleted elements can often be recovered from registry hives. However, unallocated cells may be coalesced with adjacent unallocated cells to maximize traversal efficiency.
This makes deleted cell recovery more complex because cell sizes may be modified. As a result, original cell boundaries are not well defined and must be determined implicitly by examining cell contents. A review of public literature and source code revealed existing methods for recovery of deleted elements from registry hive files.
Variations of the following algorithm were commonly found:. We implemented a similar algorithm to experiment with its efficacy. Although this simple algorithm was able to recover many deleted registry elements, it had a number of significant shortcomings. One major issue was the inability to validate any references from deleted cells. Because referenced cells may have already been overwritten or reused multiple times, our program frequently made mistakes in identifying values and data resulting in false positives and invalid output.
- In the Beginning...was the Command Line;
- Yoga All-In-One For Dummies.
- 401 Practical Adaptations for Every Classroom.
- The Second Term of George W. Bush: Prospects and Perils (The Evolving American Presidency).
- Windows Registry Forensics, 2nd Edition [Book].
- Physics with Many Positrons.
We also compared program output to popular registry forensic tools. Although our program produced much of the same output, it was evident that existing registry forensic tools were able to recover more data. In particular, existing tools were able to recover deleted elements from slack space of allocated cells that had not yet been overwritten.
Additionally, we found that orphaned allocated cells are also considered deleted. It is not known how unreferenced allocated cells could exist in a registry hive as all related cells should be unallocated simultaneously on deletion.
A Forensic Analysis Of The Windows Registry
It is possible that certain types of failures could result in deleted cells not becoming unallocated properly. Through experimentation we discovered that existing registry tools were able to perform better validation resulting in fewer false positives. However, we also identified many cases where existing tools made incorrect deleted value associations and output invalid data. This likely occurs when cells are reused multiple times resulting in references that could appear valid if not carefully scrutinized. Given the potential for improving our algorithm, we undertook a major redesign to recover deleted registry elements with maximum accuracy and efficiency.
After many rounds of experimentation and refinement we ended up with a new algorithm that can accurately recover deleted registry elements while maximizing performance. This was achieved by discovering and keeping track of all cells in registry hives to perform better validation, by processing cell slack space, and by discovering orphaned keys and values. Testing results closely matched existing registry forensics tools but with better validation and fewer false positives. The following example demonstrates how our deleted entry recovery algorithm can perform more accurate data recovery and avoid false positives.
Figure 8 shows an example of a data recovery error by a popular registry forensics tool:. Figure 8: Incorrectly recovered registry data. Note that the ProviderName recovered from this key was jumbled because it referred to a location that had been overwritten. When our deleted registry recovery tool is run over the same hive, it recognizes that the data has been overwritten and does not output garbled text.
Windows includes a simple mechanism to backup system registry hives periodically. The hives are backed up with a scheduled task called RegIdleBackup, which is scheduled to run every 10 days by default. Only the most recent backup is stored in this location.
[PDF] Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
This can be useful for investigating recent activity on a system. It is present in all versions of Windows since then, but it does not run by default on Windows 10 systems, and even when it is manually run no backups are created. It is not known why RegIdleBackup was removed from Windows In addition to RegBack, registry data is backed up with System Restore. By default, System Restore snapshots are created whenever software is installed or uninstalled, including Windows Updates. As a result, System Restore snapshots are usually created on at least a monthly basis if not more frequently.
Although some advanced persistent threat groups have been known to manipulate System Restore snapshots, evidence of historical attacker activity can usually be found if a snapshot was taken at a time when the attacker was active. System Restore snapshots contain all registry hives including system and user hives. Wikipedia has some good information about System Restore. Processing hives in System Restore snapshots can be challenging as there may be many snapshots present on a system resulting in a large amount of data to be processed, and often there will only be minor changes in hives between snapshots.
One strategy to handle the large number of snapshots is to build a structure representing the cells of the registry hive, then repeat the process for each snapshot. Anything not in the previous structure can be considered deleted and logged appropriately. The registry can provide a wealth of data for a forensic investigator.
With numerous sources of deleted and historical data, a more complete picture of attacker activity can be assembled during an investigation. As attackers continue to gain sophistication and improve their tradecraft, investigators will have to adapt to discover and defend against them. The magic number is always 0x The record size includes the header. The record type is always 1. Operation type 1 is key creation.
Operation type 2 is key deletion. Operation types are value write or delete. It is not known what the different types signify. The key path size is at offset 40 and repeated at offset This is present for all registry operation types. The data for value records starts at offset It contains the key path followed by the value name optionally followed by data.
- Windows Registry Forensics - Harlan Carvey - Häftad () | Bokus?
- Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry.
- Windows Registry Forensics: Advanced Digital Forensic Analysis of the….
- ISBN 13: 9781597495806?
- Browse more videos?
If data size is nonzero, the record is a value write operation; otherwise it is a value delete operation. Introduction FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions.
Our analysis focused on the following known sources of historical registry data: Registry transaction logs. LOG Transactional registry transaction logs. Registry Transaction Logs. LOG To maximize registry reliability, Windows can use transaction logs when performing writes to registry files. Our current approach for processing registry transaction files uses the following algorithm: Sort all writes by sequence number descending so that we process the most recent writes first.
Perform allocated and unallocated cell parsing to find allocated and deleted entries. Compare entries against the original hive. Any entries that are not present are marked as deleted and logged. With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more. Start Free Trial No credit card required. View table of contents. Start reading.