What is "Registry Analysis"??
What is this thing called (that's the second time I've used that Benny Hill reference in this blog)...Registry analysis?
For most folks, this phrase probably conjures memories opening a hive file in their favorite Registry viewer (RegEdit, EnCase, ProDiscover, or RFV, etc.) and looking at a couple of the more popular entries, such as the "ubiquitous Run key". Others may run though an entire list or spreadsheet worth of Registry keys and values. Manually. By hand. How boring. And if you're a corporate consultant, there's no better way to waste a customer's money as you burn through the hours on this chore, calling it Registry analysis.
But is this really analysis? Is analysis simply viewing data, or is it extracting data and interpreting that data in not only its own context , but also in context with other data?
One of the things I've stated in my books as well as in this blog is that when interpreting data (particularly data extracted from the Registry) its vital that the analyst understand what created or modified (with deletion being the extreme form of modification) a particular artifact, so that the nature and context of that artifact is understood (and presented/explained). For example, what would lead to a graphics image file being referenced in the MRU list to an image viewing application? The artifact is there, but what lead to its creation? Depending upon how that particular MRU list is maintained by the application, you may have a very specific timestamp associated with the artifact, as well...one that may correlate with the last access time of the file. Ah, but there's another point about Registry analysis, analysis in general, and understanding the context of artifacts...beginning with Vista, MS disabled the updating of last access times on files by default, so now analysts can't correlate a file's last access time to other artifacts.
So my point is that Registry analysis isn't just about viewing certain keys and data...no, that's Registry viewing. Rather, Registry analysis is about interpreting Registry artifacts (keys, LastWrite times, values, and data) in the context of the actions that led to their creation and modification, as well as in the context of other artifacts. Tools such as RegRipper strive to assist analysts and examiners with this sort of analysis, by providing a framework for extraction, correlation, a modicum of interpretation, as well as the presentation of the data with some supporting information.
Growth and research in this area appears to be sought after by the community, but is also limited by a lack of support and contributions from the community.
Timeline Analysis
Registry data can be an integral part of a timeline created for analysis; however, there is much more timestamped data available in the Registry than just key LastWrite times...sort of like that quote from Hamlet. For example, on Windows XP, some data holds the SSIDs that the user connected the system to via wireless networking, as well as the WAP MAC addresses and when the connection was made. On Vista, you also get the first and last time that SSID was connected to (as well as the WAP MAC address). Let's not forget other keys and values, such as MRU listings and one of my personal favorites, the UserAssist subkeys. These aren't the only differences between Windows versions...and I'm sure that there are others out there who are working on documenting these differences besides myself.
For most folks, this phrase probably conjures memories opening a hive file in their favorite Registry viewer (RegEdit, EnCase, ProDiscover, or RFV, etc.) and looking at a couple of the more popular entries, such as the "ubiquitous Run key". Others may run though an entire list or spreadsheet worth of Registry keys and values. Manually. By hand. How boring. And if you're a corporate consultant, there's no better way to waste a customer's money as you burn through the hours on this chore, calling it Registry analysis.
But is this really analysis? Is analysis simply viewing data, or is it extracting data and interpreting that data in not only its own context , but also in context with other data?
One of the things I've stated in my books as well as in this blog is that when interpreting data (particularly data extracted from the Registry) its vital that the analyst understand what created or modified (with deletion being the extreme form of modification) a particular artifact, so that the nature and context of that artifact is understood (and presented/explained). For example, what would lead to a graphics image file being referenced in the MRU list to an image viewing application? The artifact is there, but what lead to its creation? Depending upon how that particular MRU list is maintained by the application, you may have a very specific timestamp associated with the artifact, as well...one that may correlate with the last access time of the file. Ah, but there's another point about Registry analysis, analysis in general, and understanding the context of artifacts...beginning with Vista, MS disabled the updating of last access times on files by default, so now analysts can't correlate a file's last access time to other artifacts.
So my point is that Registry analysis isn't just about viewing certain keys and data...no, that's Registry viewing. Rather, Registry analysis is about interpreting Registry artifacts (keys, LastWrite times, values, and data) in the context of the actions that led to their creation and modification, as well as in the context of other artifacts. Tools such as RegRipper strive to assist analysts and examiners with this sort of analysis, by providing a framework for extraction, correlation, a modicum of interpretation, as well as the presentation of the data with some supporting information.
Growth and research in this area appears to be sought after by the community, but is also limited by a lack of support and contributions from the community.
Timeline Analysis
Registry data can be an integral part of a timeline created for analysis; however, there is much more timestamped data available in the Registry than just key LastWrite times...sort of like that quote from Hamlet. For example, on Windows XP, some data holds the SSIDs that the user connected the system to via wireless networking, as well as the WAP MAC addresses and when the connection was made. On Vista, you also get the first and last time that SSID was connected to (as well as the WAP MAC address). Let's not forget other keys and values, such as MRU listings and one of my personal favorites, the UserAssist subkeys. These aren't the only differences between Windows versions...and I'm sure that there are others out there who are working on documenting these differences besides myself.