Computer Forensics: Coursework 2: Forensic Analysis of The Windows Registry

Forensic Analysis of the
Windows Registry
Computer Forensics: Coursework 2

Due Date 4th November
Peter Davies - 05004306

MSc Information Security & Computer Crime
University of Glamorgan Computer Forensics - Windows Registry
Contents
Contents .............................................................................................................................. 2
Abstract ............................................................................................................................... 3
Introduction......................................................................................................................... 4
History............................................................................................................................. 4
Registry Structure ........................................................................................................... 5
HKEY_USERS Overview .......................................................................................... 7
HKEY_LOCAL_MACHINE Overview..................................................................... 8
Where is the Registry located? ....................................................................................... 9
Registry Examination........................................................................................................ 10
Available Tools ............................................................................................................. 10
Registry Security........................................................................................................... 10
Registry Access......................................................................................................... 10
Password Storage ...................................................................................................... 10
Practical Inspection....................................................................................................... 12
Startup Applications.................................................................................................. 12
General User Information ......................................................................................... 12
Internet Explorer ....................................................................................................... 13
Instant Messaging ..................................................................................................... 14
The Registry as a Log File ........................................................................................ 14
Attached Hardware ................................................................................................... 15
Unread E-Mails ......................................................................................................... 16
UserAssist ................................................................................................................. 17
Other MRU ............................................................................................................... 18
ShellBags .................................................................................................................. 19
Wireless Networks .................................................................................................... 19
64-bit Operating Systems.......................................................................................... 19
Computers Nearby .................................................................................................... 20
Registry ‘Run’ Exploitation.......................................................................................... 21
Conclusions....................................................................................................................... 23
Overview....................................................................................................................... 23
Summary ....................................................................................................................... 24
Application: Registry QuickCheck ................................................................................... 25
Overview....................................................................................................................... 25
Source Code .................................................................................................................. 25
References......................................................................................................................... 32
Online Articles .............................................................................................................. 32
Books ............................................................................................................................ 32
Journals ......................................................................................................................... 33
End Notes...................................................................................................................... 34
Peter Davies 2
Abstract
This report has been prepared to critically examine the various techniques that can be
used to forensically examine the contents of a Microsoft Windows Registry database.
By examining present techniques of analysis, this report will demonstrate how the
Microsoft operating system stores potentially sensitive information in an insecure and
easy to access database.
Using a well established rapid application development environment, several of the

examination techniques will be practically examined, and this report will identify, using
an introduction to the Windows Registry, how this information can be easily obtained and
in essence provide a ‘digital dumpster dive’ for forensic investigators.
Peter Davies 3
Introduction
History
During the early-nineties1, Microsoft introduced its first widely used operating system
named Windows 3.X and the developers needed a technique for storing ‘application-
specific’ settings. They devised a process using text files with the file extension ‘ini’ that
would store settings in organised groups. Even the main Windows executable had its own
configuration file called ‘win.ini’ that could also be used by other applications to store
‘system-wide’ configuration data. Despite the absence of any formal centralised
application and user management database, this archaic operating system did have a
‘Reg.dat’ that contained basic file associations and Object Linking and Embedding
(OLE) parameters.
When Microsoft came to the development of their new flagship product ‘Windows 95’,
the development team realised that they would need a more substantial configuration
system and introduced a single logical data store2. This was named ‘the registry’ and did
in fact consist of three physically separate databases for managing user, system and
network policies.
As defined on the Microsoft Knowledge Base3 and also in The Microsoft Computer
Dictionary, Fifth Edition, the registry is defined as:
A central hierarchical database used in Microsoft Windows 9x, Windows CE,

Windows NT, and Windows 2000 used to store information necessary to configure
the system for one or more users, applications and hardware devices.
The above statement is core to further discussion within this report as it identifies that
Microsoft have used the registry as a ‘hub’ for all storage information within their
operating systems. We will see later on in this report how forensic investigators can
access this repository to obtain pretty much all operational data regards the use of a users
computer.
Peter Davies 4
Registry Structure
The registry is constructed of between five and seven root keys (hives) that begin with
‘HKEY’ (an abbreviation of Handle to a Key) but really only two of these are ‘real’
registry keys, the others are aliases (shortcuts) to branches within one of the two hives.
The structure of the registry is best visualised in terms of a hierarchy or tree structure and
this can be shown using the Windows ‘Regedit’ utility which has been overlaid below
with the four separate elements.
Here we can see the four main components that make the registry function as it does:
• Registry Keys (blue)
The content of a hive is based on a ‘tree structure’, with a root key at the top, and
subkeys with key values forming its content.
• Value Entry Name (yellow)
This can be any alphanumeric value that uniquely identifies a value entry with a
particular key.
• Data Type (green)
Improving on an INI files storage of string configuration data, the Windows
registry can store multiple specific data such as binary, multiple lined strings and
even 64-bit integers (represented as a QWORD value).
• Value Entry Data (pink)
This contains the actual data described by the previous field to a maximum size of
64Kb.
Peter Davies 5
Depending on the version of the Windows operating system, the registry will contain
different root keys (although numbers 1 to 5 stay consistent across all versions of the
registry). It is also possible that if the administrator has configured the system to restrict
access to certain areas of the registry, or you are accessing the registry remotely, it is
likely that you will only be presented with two root keys: HKEY_USERS and
HKEY_LOCAL_MACHINE.
The possible seven keys are described as follows:
1. HKEY_USERS
contains information about all users of the desktop, plus a description of a
default/generic user. The information stored within this hive concerns application
configuration, and visual settings amongst many.
2. HKEY_LOCAL_MACHINE
this hive contains machine-specific information that directly correlates to the
machine the operating system is run on. It includes lists of the drives mounted,
hardware present and the generic configuration of installed applications.
3. HKEY_CLASSES_ROOT
this contains information similar to the Reg.dat data described in the history
above. It also contains further details on drag-and-drop rules, shortcuts and
information on the user interface. Alias for: HKLM\Software\Classes
4. HKEY_CURRENT_USER
this contains ‘user specific’ information that is generated when the user logs on
and is constructed initially by the generic information in the HKEY_USERS key.
This is an alias for a user-specific branch in HKEY_USERS that contains the
configuration data for the user who is currently logged in. Usually the generic
information that applies to all users is: HKU\.DEFAULT
5. HKEY_CURRENT_CONFIG
this stores information about the systems current configuration. This is an alias for
current hardware configuration: HKLM\Config\profile
6. HKEY_DYN_DATA
contains dynamic status information for devices that use the plug-and-play
architecture – for example when you plug in a USB memory stick. Not technically
an alias or a physical hive4, but it contains dynamic information about the current
status of the system (such as plug and play) that is loaded into memory during
startup. This applies to only Windows 95 and Windows 98 operating systems.
7. HKEY_PERFORMANCE_DATA
This provides support for performance monitoring on systems based on the NT
kernel. This too is created at boot and maintained in memory.
Peter Davies 6
This report will use the following common abbreviations for the root keys so that the
length of the shown data can be maximised on the screen.
Root Key (Hive) Abbreviation
HKEY_USERS HKU
HKEY_LOCAL_MACHINE HKLM
HKEY_CLASSES_ROOT HKCR
HKEY_CURRENT_USER HKCU
HKEY_CURRENT_CONFIG HKCC
HKEY_DYN_DATA HKDD
HKEY_PERFORMANCE_DATA HKPD
HKEY_USERS Overview
As stated above, the HKEY_USERS (HKU) key contains all the user-specific configuration
details for the computer. Every user that logs on to the machine will have a subkey under
the root HKU containing specific detail on any application that gets used. This user
specific information is categorised as ‘profiles’ allowing multiple users to share access to
a single computer. If this is the case, multiple values will be visible under the root key
indicating that more than one user has logged onto that machine. If a single user has sole
access to the machine, and no profiles were implemented, the operating system will use
the generic storage group as .DEFAULT
Each user (or default profile) will have the following main subkeys as used by Windows
XP, Windows 2000 and Windows NT:
1. AppEvents - This provides associations between the sounds that Windows

creates and the events that can trigger the sounds, where each profile can have
user-specific sounds.
2. Control Panel - This holds the information regards the settings that can be altered
in the Windows Control Panel. These settings include options like the appearance
of the desktop, which screen saver is to be used, and what language to use.
3. Environment - This holds the locations of the users temporary folders. These
values can be retrieved by applications allowing them to store ‘temporary’ data in
a designated area.
4. Software - This subkey holds the user-specific software settings that applications
can use to provide user-specific preferences.
Often the operating system will duplicate data in both the HKU and HKLM hives but by
design the HKU has precedence over the HKLM so that any user specific information will
overwrite that of the machine specific information.
Peter Davies 7
HKEY_LOCAL_MACHINE Overview
This contains configuration data that describes the hardware and software installed on the
computer5, such as device drivers, security information, and computer-specific software
settings. On a Windows XP system, there are five main subkeys:
1. HARDWARE
This section of the registry is populated by the register during boot and contains
the latest information about the hardware on the system. The older versions of
Windows do not use this subkey but provide access to it for compatibility with
NT systems and above. In general the information found under this key is fixed,
loaded initially during boot from the knowledge about installed hardware.
2. SAM
This is the Security Accounts Manager (SAM) subkey that stores user and group
information. This information is not directly accessible in Windows XP as a
security measure.
3. SECURITY
This contains the system and network information stored in binary form
concerning the machines security. This information is usually configured using
the Group Policy editor and the Security Policy editor, and as with the SAM
subkey it is not accessible by Windows XP.
4. SOFTWARE
This subkey is very important and contains a wealth of information regards every
installed application on the machine. The operating system recognises Windows
itself as a software application so you will find many Windows-specific settings
in this location. The single largest branch within the HKLM hive is the
HKLM\Software\Classes which describes the associations between
documents and programs, and lists huge amount of detail about COM* objects.
5. SYSTEM
This section of the registry maintains control sets, each of which determines the
services and applications to load during startup. The same control sets also
provide configuration information that allows these drivers and services to
function correctly in the given hardware and software environment.
*
Component Object Model (COM) provides a standardised way of allowing other applications to utilise
their functionality. Available from:
http://www.microsoft.com/technet/scriptcenter/guide/sas_vbs_wcmr.mspx
Peter Davies 8
Where is the Registry located?

In Windows XP, the registry files themselves have no direct file extension associated but
you will see them alongside other files with the same name but with different extensions:
• no extension or .dat
the base registry file(s), older Windows operating systems use the ‘dat’ extension
• .alt
duplicate/backup copies of the main registry data
• .log
log information listing any changes to the registry
• .evt
this file contains a log of the events information
• .sav
the initial snapshot of the registry, before any software installations / modification
Depending on the flavour of the Microsoft operating system, each will store the registry
files in different locations on the file system.
Windows 3.X c:\windows\Reg.dat

Windows 98 c:\windows
Windows NT c:\winnt\system32\config
Windows XP c:\windows\system32\config
All but the information stored in the HKCU can be found in the locations above. As
might be expected, the newer versions on the Windows operating systems were
developed with the idea of multiple users working in a networked environment. The user
specific registry hive can be found alongside the user profile in6:
%systemdrive%\Documents and Settings\<username>\NTUSER.DAT
The user will often face permission restrictions when trying to access the registry files
directly, so to correctly view and edit the registry hives, special applications must be used
that force the operating systems access control lists correctly. The details of which will be
discussed further in this report (Registry Examination → Available Tools).
Peter Davies 9
Registry Examination
Available Tools
Throughout the many versions of the Windows operating system, Microsoft has provided
tools for accessing the registry. Albeit it in some cases a very dangerous tool, the
‘regedit’ utility provides a convenient way for searching, editing and deleting data within
the different hives.
To better understand the structure and methodologies behind the registry, a Windows
application was developed directly for this report to aid extraction of information that
could provide evidence for a forensic investigation. Details of the software developed
together with the source code are detailed at the end of this report.
The main criticism of any registry tools is that if you do not know what you are doing, it
is very easy to make a fundamental change to the system that won’t be recoverable.
Discussed in the conclusion in more detail are the registry’s failings as a data storage
architecture.
Registry Security
Registry Access
The earlier versions on Windows were not really intended for office network connectivity
and as a result it was never really considered that no security or access controls existed
for the registry. This was directly true in both Windows 95 and Windows 98 and for the
forensic analyser this is very helpful as it means that the machine can be examined
without specifying any formal security details.
This though is not the case with the following Microsoft products:
• Windows NT
• Windows 2000
• Windows 2003
• Windows XP
Each of which have implemented a more secure registry access control list where only
the administrator can perform certain tasks (although this needs to be explicitly
specified). Each key can have specific access controls making it ideal for a multi-user
environment.
Password Storage
Interestingly enough, the software developers who thought that the registry was a useful
place to store application information, also thought it was a convenient place to store
usernames and passwords. Although the developers went through the process of
encrypting the data, it is possible to obtain the stored information using a simple freely
available utility called PassView7 that provides access to:
Peter Davies 10
1. Outlook passwords for any POP3 e-mail account active on the users computer
2. AutoComplete passwords in Internet Explorer providing user details for
websites that have access control where the user has asked them to be stored
3. Password-protected sites in Internet Explorer that use ‘basic authentication’
techniques.
4. MSN Explorer passwords revealing sign-up and AutoComplete information.
The software achieves this by pairing the following registry information (see diagram):
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW
HKCU\Software\Microsoft\Protected Storage System Provider
NB: the actual passwords have been disguised for this example
Peter Davies 11
Practical Inspection
Startup Applications
When first inspecting the registry, it worth initially checking the areas that have been
assigned the functionality to specify which applications can be launched during the boot
process. These common keys are as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
ProfilePath\Start Menu\Programs\Startup\
By observing the entries in these keys its possible to determine which applications are
executed during startup and as we will see later in this report, its possible for virus/trojans
to embed themselves in these startup areas with an aim for self-replication.
General User Information

The registry stores a wealth of investigatory information some of which the user may be
completely unaware of.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
The screenshot below demonstrates the practical extraction of such information directly
from a working machine. He we can see the drive the operating system was installed
from (in this case a CD drive), and also the final location of the installed operating
system.
Peter Davies 12
Internet Explorer
Any application can utilise the registry to store data, and Internet Explorer has been
heavily integrated recording every aspect of the use of the application. The following
registry key provides access to the user-specific (HKCU) settings for the application:
HKCU\Software\Microsoft\Internet Explorer\Main
For example, under the TypedURLs key we can see the last twenty websites typed in by
the user (this may include local files). Forensically this can be used to provide an
overview of the material a specific user has been viewing, creating a simplified profile of
that users surfing habits. We can see from the diagram below that this user accesses
programming, banking and business related sites (highlighted):
A forensic examiner could determine from the URL list what sites had been looked but
no visual timestamp is associated with the registry data (see the section “The Registry as
a Log File” for more detail on the registry hidden timestamp functionality). By
understanding how the application operates you might be able to correlate the above URL
list with the browsers history cache and also the temporary internet folders on the users’
computer.
The browser also stores the last directory used for downloading any file, allowing a
forensic analyser to understand a users personal storage structure:
HKCU\Software\Microsoft\Internet Explorer\Download Directory
Peter Davies 13
Instant Messaging
As previously described, the registry holds all details of installed applications. From this
we can see when a user has installed an instant messaging application. The programs that
provide this service use consistent registry structures allowing for registry viewing
applications like the one developed for this report to extract forensic information.
We can see from the diagram below the QuickCheck application running on two separate
machines; one without instant messaging and the other with:
Using this a simple ‘first step’ its then possible to examine the contents of these keys
further to extract information about
The Registry as a Log File

The Windows registry has an extremely useful logging and auditing feature utilising a
standard object known as ‘FILETIME’ that provides a “Last Write” time for any registry
key. This system has a resolution of 100 nanoseconds meaning it’s possible to determine
a precise time a change was made. A journal on the Windows registry and its use as a
forensic tool discusses this exact process written by Carvey, Harlan (2006) and states:
With files, it is often difficult to determine what changes were made when the file
was last modified. The forensic analyst may have a copy of the file, and the last
modification time, but may not be able to determine what was changed in the file.
The same holds true for Registry keys that contain several values, as it is often
difficult to determine which value was changed.
Having examined the Microsoft details on FILETIME8 it’s possible to see that in theory
‘file write times’ could be paired against a corresponding registry ‘last write time’. The
process of which is outside the scope of this report.
Peter Davies 14
Attached Hardware
By navigating to the following key using regedit, it’s possible see each of the available
drives on the computer.
HKLM\SYSTEM\MountedDevices
Here you can sees that the drives C: and F: are in fact the hard drives indicated by a
shorter hexadecimal data string. The other drives are described as ‘removable storage
media’ within the hexadecimal data, and as a result are shown with a longer data section.
This information can be useful to a forensic examiner as it shows any connected storage
device that has been recognised by the operating system. If the examiner notes a
discrepancy between the physically attached devices and the ones reported here, it can be
an indication that some device was removed prior to the evidence being seized.
Peter Davies 15
Unread E-Mails
By default, when the Microsoft application Outlook, or Outlook Express is used to read
e-mail accounts, the operating system inserts an entry in the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\
On closer inspection on a ‘live’ system we can see that the operating system records the
number of unread messages for any e-mail account correctly configured. It even includes
a timestamp of when the accounts were last checked:
Above we can see three e-mail accounts (on the left pane) each with their own value keys
storing the name of the application used to read the e-mails, a message count and
timestamp details. Here the selected account has 13 unread e-mails using Microsoft
Outlook as the e-mail client. From this detail we can examine the registry to detect how
Outlook was configured to determine whether the user was part of a MS Exchange server
or not. The implication being you can extract more information from an Exchange server
(such as deleted e-mails) for possible forensic analysis.
HKCU\Software\Microsoft\Exchange\LogonDomain
And then further information regards the specific user:
HKCU\Software\Microsoft\Exchange\UserName
Peter Davies 16
UserAssist
Examination of the Windows registry reveals that the operating system stores multiple
entries containing information about the most recently used (MRU) applications. Closer
inspection of the key (below) reveals that whenever an application is launched, view
preferences are stored together with a timestamp and the application name. This
information is encoded using a simple Caesar cipher known as ROT-139 which is easily
deciphered using online tools (or Usenet news applications):
Peter Davies 17
Other MRU
The Windows operating system also stores the most recently used list of the ‘Run’
command in the following registry location:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Using the application developed for this report it is possible to see a quick list of each of
the stored run commands. From such information it is possible to make assumptions
about the type of user. He we see that the most recently used tool was the command
prompt, and further down we can see tools such as regedit and telnet thus implying this
user has some knowledge about Windows tools.
Peter Davies 18
ShellBags
Microsoft Explorer is the core file manager supplied with the Windows XP operating
system. When a window is resized, the operating system stores all folder content into the
following key:
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags
And for other folders the following key stores the data:
HKCU\Software\Microsoft\Windows\Shell\Bags
This allows the recreation of full folder listings providing a very useful forensic resource
for investigators to document. It is suggested though that this process be automated using
some form of registry forensic analysis tool, as the information stored in these areas is not
easily readable.
Wireless Networks
More and more households are beginning to implement wireless networks, with both
PC’s and laptop accessing the Internet over the air. Windows XP provides a useful
logging facility that records every service set identifiers (SSID) the machine connects to.
This SSID would likely be a wireless router, or possibly one of the many wireless
hotspots dotted around the country.
By analysing the information in the following key, a forensic analyst can determine
which gateways the computer has connected to, providing an audit trail to investigate:
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces
64-bit Operating Systems

The Microsoft Knowledge base describing the registry has recently been updated to
include the new development of their 64-bit operating systems (mainly Windows Server
2003 and the 64-bit versions of Windows XP). It appears that instead of fully integrating
64-bit hives, Microsoft have simply categorised any 64-bit keys under the
HKLM\Software\WOW6432
Together with the support for the new 64-bit keys, Microsoft also redeveloped their
regedit application to read the values of these keys. Until the 64-bit operating system is
used more frequently, it is unlikely much useful information will be gathered from here.
Peter Davies 19
Computers Nearby
Windows XP provides a useful but rudimentary network mapping tool embedded into the
Windows Explorer application (known as My Network Place). By examining the contents
of the following registry key it is possible to demonstrate that a computer belonged to a
network, or had at least been connected to other computers on a Local Area Network
(LAN).
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescript
ions
The subsequent output shows every computer that has ever connected to the host. From
the results below we can see laptops, printers and more importantly that the machine
belonged to a domain (Asimov) indicating this machine was part of a larger network.
Peter Davies 20
Registry ‘Run’ Exploitation

Now that both desktop computers and even mobile devices use the Microsoft operating
system to function, it’s probable that a forensic investigator is likely to need to examine a
combination of devices. Presently, a common plea by defendants in a court of law is that
they claim it was not them that downloaded illegal content, but it was a virus or Trojan
application that acted outside of their knowledge. If now both the users’ desktop
computer and their mobile phone can be implicated by such a plea, a forensic examiner
must understand how a virus could use these registry exploitation techniques.
A recent article written by Kirk, Jeremy10 in February 2006 brought to attention a

previous article written by Fogie, Seth (2004) describing a ‘proof-of-concept’ virus sent
to the Mobile Antivirus Researchers Association11 (MARA) explaining how it’s possible
to bridge the gap between mobile devices and the users’ desktop computer.
This ‘leap’ is achieved by exploiting the handheld’s dependency upon the user’s desktop
PC through the use of another Microsoft product called ActiveSync. This application
synchronises data on both machines, so a carefully written virus could insert itself into
the startup applications within the desktop’s registry (for more detail on startup keys see
the section “Practical Inspection → Startup Applications”):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The virus subsequently waits for ActiveSync to make a successful connection before
infecting a mobile device such as a PDA or mobile phone running Windows CE or the
Windows Mobile operating systems. As not just a proof of concept, the MARA
organisation released an ‘example’ virus to demonstrate the process on February 23, 2006
known as the ‘crossover’ virus. The crossover virus would be executed during each boot,
and as a replication technique it would copy itself to other locations on the computer, and
insert more entries into the registry. Eventually this would render the desktop computer
unusable through lack of available disk space. The same effect would be replicated on the
mobile device, exploiting the same start-up process on the mobile operating systems.
We can see on the diagram on the following page an examination of the above registry
key indicating that a series of applications will execute during startup. The entry in the
middle of the highlighted list shows the Microsoft ActiveSync application that places
itself in the system tray after loading.
Peter Davies 21
Of course, some antivirus companies have exploited the mobile anti-virus market but to
hit back a subsequent variation of crossover virus was developed that first disabled the
anti-virus upon synchronisation.
The implication being that if the same simple registry exploitation can be applied across
multiple devices, it would be possible to claim that an infected mobile device passed on a
virus to a desktop computer (or vice versa). From understating the structure of the virus
and its use of the registry, a forensic examiner can determine the nature of the virus and
its function, therefore ruling out the possibility that it was a virus/Trojan that downloaded
the illegal content.
A further registry exploitation technique was recently discovered by a company called

Secunia12 who reported in 2005 (and as yet it stands unpatched) that the Windows regedit
application fails to display keys with a character length longer than 254 characters. As a
result it’s possible to hide a key (and its subkeys) by simply naming it with something
greater than the limit. The example given is to hide one of these long keys within one of
the ‘Run’ locations, thus hiding an application’s existence from a quick inspection.
Peter Davies 22
Conclusions
Overview
The Microsoft Windows operating system has been the main operating system for
businesses and home users all over the World. To some home users, Windows is the only
operating system they know, and to suggest alternatives is simply over their heads, so to
then try and explain the complexities of the registry would completely baffle them. It is
also true to say that most users are to some degree ignorant of the functionality of the
programs they use every day. This ignorance provides the forensic examiner with a head
start, allowing them to locate data like the ones discussed in this report, to generate
evidence about a suspect’s possible usage of their computer.
For a forensic examiner, being able to construct folder listings (streamMRU) and
reconstruct a timeline of changed entries, means they can generate a more precise record
of what occurred on a given machine. The best way to express the added ‘value’ gained
from the registry can be seen in the following table that rates a sample of the registry keys
shown in this report depending on how much information it can provide to a forensic
examiner.
Hive Key Rating

HKCU Software\Microsoft\Internet Explorer\IntelliForms\SPW 10
HKCU Software\Microsoft\Protected Storage System Provider 10
HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce 7
HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 7
HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7
HKCU Software\Microsoft\Windows NT\CurrentVersion\Windows\Run 7
HKCU Software\Microsoft\Windows\CurrentVersion\Run 7
HKCU Software\Microsoft\Windows\CurrentVersion\RunOnce 7
HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion 6
HKCU Software\Microsoft\Internet Explorer\Main 8
HKCU Software\Microsoft\Internet Explorer\Download Directory 4
HKLM SYSTEM\MountedDevices 5
HKCU Software\Microsoft\Windows\CurrentVersion\UnreadMail\ 4
HKCU Software\Microsoft\Exchange\LogonDomain 4
HKCU Software\Microsoft\Exchange\UserName 4
HKCU Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 5
HKCU Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\%profile%\ 8
Count
HKCU Software\Microsoft\Windows\ShellNoRoam\Bags 9
HKCU Software\Microsoft\Windows\Shell\Bags 9
HKLM SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces 8
HKLM Software\WOW6432 2
HKCU Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions 7
Peter Davies 23
Summary
As you can see from the table generated in the overview, the registry can provide a lot of
information. Quite a lot of this information needs direct examination to determine
whether further investigation is required. For example, if you look at the any of the
instant messaging keys, its obvious that without first discovering the user’s sign-on name,
you can not examine the data within that profile. With further modification, the
application developed for this report could quite easily provide extended functionality to
‘intelligently’ determine what keys to follow within the registry, based on information
gathered from other keys.
The main criticism of the Windows registry is that it results in having one centralised
database introducing a “single point of failure” meaning that if the registry gets damaged
or corrupted, a complete re-install of the operating system is needed. Windows 9.X also
had issues with large registry databases, introducing stability issues during startup. This
operating system was also prone to crashes with even the smallest manual change of the
registry database. It’s strange to discover that Microsoft would base their flagship product
around a central database that had no real redundancy, and if modified by accident could
render a machine completely useless. This ‘stability’ must have been a main concern
during the development of Windows 98 which was a little more stable, not relying on the
DOS underpinning’s as Windows 95 did. Though, since the development of the NT
kernel we have the luxury of log files which are used to protect the registry during
updates, allowing the operating system to rollback if necessary.
From a programmer’s point of view, the registry’s improvements from the older
Windows 98/95 systems means that a reboot is no longer required for any changes to take
effect. This means that rapid application development can continue without interruptions,
and it makes it even simpler to create user-friendly applications that remember user’s
preferences.
As users of the dominant operating system we must understand that measures have been
put in place to enable the storage of information that makes the use of the system
friendlier. This increase in usability comes at a price allowing forensic investigators to
extract otherwise hidden user information, enabling a reconstruction of the computers
use. Of course, for the paranoid user it’s possible to obtain software that will ‘clean’ areas
of the registry, but as the core of the operating system uses the registry, it is unlikely that
all traceable information could be removed, as doing so would disrupt the operation of
the system. The use of the registry by the operating system will always provide the
forensic examiner information about the user, even if its simply access times, but even
the smallest amount of evidence could be enough to convict a suspected user.
Peter Davies 24
Application: Registry QuickCheck

Overview
Using standard rapid application development techniques, a basic 32-bit Windows
application was constructed to access some of the more generic keys that the Windows
registry stores. The initial keys were listed in a White Paper written by AccessData called
the “Registry Quick Find Chart” which lists hundreds of keys that can be used by a
forensic examiner to identify suspect information.
The aim of the application was to develop some code that categorised the keys into
known areas such as Networking, Instant Messaging and most recently used lists. The
developed application was used in conjunction with the Windows regedit utility due to
time restrictions.
The tools required to re-compile the following source code are:
• Borland Delphi 2005

http://www.borland.com/
• free component known as TWmiRegistry

http://www.online-admin.com/twmiregistry.html
Source Code
The following six pages contain the source listing for the project.
Peter Davies 25
Peter Davies 26
Peter Davies 27
Peter Davies 28
Peter Davies 29
Peter Davies 30
Peter Davies 31
References
Online Articles
AccessData (2006) Registry Quick Find Chart [online] AccessData Corp, Available
from: http://www.accessdata.com/support/white%5Fpapers/ [Accessed on: 5th March
2006]
Danford, Robert (2005) Updated Windows Registry Concealment Info [online] SANS
Institute, Available from: http://isc.sans.org/diary.php?date=2005-08-25 [Accesses on
12th March 2006]
Evers, Joris (2005) Flaw may hide malicious software [online] CNET News.com,
Available from: http://news.com.com/Flaw+may+hide+malicious+software/2100-
1002_3-5843863.html [Accessed on 12th March 2006]
Microsoft (2005) Description of the Microsoft Windows registry [online] Microsoft,

Available from: http://support.microsoft.com/kb/256986 [Accessed on: 16th March 2006]
Online-Admin (2006) TWmiRegistry Component [online] Online-Admin Available from:

http://www.online-admin.com/twmiregistry.html [Accessed on: 11th March 2006]
Wikipedia (2004) Windows Registry [online] Wikipedia, Available from:

http://en.wikipedia.org/wiki/Windows_registry [Accessed on: 13th April 2006]
Books
Casey, Eoghan (2004) Computer Crime Investigation [Book] Publisher: Elsevier, ISBN:
0-12-163103-6
Kruse, Warren G. Heiser, Jay G. (2004) Computer Forensics, Incident Response

Essentials [Book] Publisher: Addison Wesely, ISBN: 0201707195
Mathews, Martin S., (1998) Windows 98 Answers [Book] Publisher: Osborne, ISBN: 0-
07-882455-9
Minasi, Mark (2002) Windows Server 2003 [Book] Publisher: Sybex, ISBN: 0-7821-
4130-7
Person, Ron (1995) Using Windows 95 [Book] Publisher: Que, ISBN: 1-56529-921-3
Person, Ron (1998) Using Windows 98 [Book] Publisher: Que, ISBN: 0-7897-1489-2
Reisdorph, Kent (1998) Borland Delphi 4 in 21 days [Book] Publisher: Sams, IBN: 0-
672-31286-7
Peter Davies 32
Journals
Carvey, Harlan, The Windows Registry as a forensic resource, Digital Investigation,
Volume 2, Issue 3, , September 2005, Pages 201-205.
Available from: http://www.sciencedirect.com/science/article/B7CW4-4GX1J3B-
1/2/6f94db2adc419ceacce8e366614ad34f
Zenkin, Denis, Anti-virus software reports on Windows registry changes, Computer

Fraud & Security, Volume 2000, Issue 6, , 1 June 2000, Page 6.
Available from: http://www.sciencedirect.com/science/article/B6VNT-40HV0RB-
K/2/c561ffb3c2f1ce6cad7d88e68fc87051
Tighter permissions for Windows registry key, Network Security, Volume 2000, Issue 5, ,
1 May 2000, Page 2.
Available from: http://www.sciencedirect.com/science/article/B6VJG-40GJF40-
3/2/777abbca686e4e1fceb8ab9bbfc0dea4 )
Peter Davies 33
End Notes
1
Computer Hope (2000) Information and help with Windows 3.0, 3.1 and 3.11 [online]
Computer Hope, Available from: http://www.computerhope.com/win3x.htm [Accessed
on: 18th April 2006]
2
Microsoft (2005) Description of the Registry Files in Windows 98/95 [online]
Microsoft, Available from: http://support.microsoft.com/kb/250410/EN-US/ [Accessed
on: 16th March 2006]
3
Microsoft (2005) Description of the Microsoft Windows registry [online] Microsoft,
Available from: http://support.microsoft.com/kb/256986 [Accessed on: 16th March 2006]
4
Russinovich, Mark (2006) Inside the Registry [online] Windows NT Magazine,
Available from:
http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true
[Accessed on: 4th April 2006]
5
Person, Ron (1998) Using Windows 98 [book] Publisher: Que, ISBN: 0-7897-1489-2
6
Mar-Elia, Darren (2000) How the Registry Is Architected [online] Windows IT Library,
Available from: http://www.windowsitlibrary.com/Content/224/3.html [Accessed on 17th
April 2006]
7
Sofer, Nir (2002) Protected Storage PassView v1.62 [online] NirSoft Available from:
http://www.nirsoft.net/utils/pspv.html [Accessed on 17th April 2006]
8
Microsoft (2006) File Times [online] Microsoft MSDN, Available from:
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/sysinfo/base/file_times.asp [Accessed on 17th April 2006]
9
Gordon, Stewart (2006) ROT13 Encoder and Decoder [online] Port5, Available from:
http://smjg.port5.com/faqs/usenet/rot13c.html [Accessed on 16th April 2006]
10
Kirk, Jeremy (2006) Virus can pass from PCs to mobile devices [online] TechWorld,
Available from: http://www.techworld.com/news/index.cfm?newsID=5464 [Accessed on
12th April 2006]
11
MARA (2005) Mobile Antivirus Researchers Association [online] MARA, Available
from: http://www.mobileav.org/ [Accessed on 12th April 2006]
12
Franchuk, Igor (2005) Windows Registry Editor Utility String Concealment Weakness
[online] Secunia, Available from: http://secunia.com/advisories/16560/ [Accessed on 18th
April 2006]
Peter Davies 34

Computer Forensics: Coursework 2: Forensic Analysis of The Windows Registry

Uploaded by

Copyright:

Available Formats

You might also like

Computer Forensics: Coursework 2: Forensic Analysis of The Windows Registry

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Forensics: Coursework 2: Forensic Analysis of The Windows Registry

Uploaded by

Copyright:

Available Formats

Forensic Analysis of the

Computer Forensics: Coursework 2

Peter Davies - 05004306

Using a well established rapid application development environment, several of the

A central hierarchical database used in Microsoft Windows 9x, Windows CE,

The possible seven keys are described as follows:

1. AppEvents - This provides associations between the sounds that Windows

Where is the Registry located?

Windows 3.X c:\windows\Reg.dat

%systemdrive%\Documents and Settings\<username>\NTUSER.DAT

General User Information

HKCU\Software\Microsoft\Internet Explorer\Download Directory

The Registry as a Log File

And then further information regards the specific user:

64-bit Operating Systems

Registry ‘Run’ Exploitation

A recent article written by Kirk, Jeremy10 in February 2006 brought to attention a

A further registry exploitation technique was recently discovered by a company called

Hive Key Rating

Application: Registry QuickCheck

The tools required to re-compile the following source code are:

• Borland Delphi 2005

• free component known as TWmiRegistry

Microsoft (2005) Description of the Microsoft Windows registry [online] Microsoft,

Online-Admin (2006) TWmiRegistry Component [online] Online-Admin Available from:

Wikipedia (2004) Windows Registry [online] Wikipedia, Available from:

Kruse, Warren G. Heiser, Jay G. (2004) Computer Forensics, Incident Response

Zenkin, Denis, Anti-virus software reports on Windows registry changes, Computer

You might also like