Registry Stuff
I ran across a tweet recently from Andrew Case (@attrc on Twitter) regarding a Registry key with some interesting entries; specifically, the key HKLM\Software\Microsoft\RADAR\HeapLeakDetection.
To get an idea of what this key might be all about, I did some research and found this page at the Microsoft site, with an embedded video. From watching the video, I learned that RADAR is a technology embedded in Windows 7 that monitors memory leaks so that data can be collected and used to correct issues with memory leaks in applications. The developer being interviewed in the video give four primary goals for RADAR:
- To perform as near real-time as possible memory leak detection
- To perform high granularity detection, down to the function
- To perform root cause analysis; data must be sufficient enough to diagnose the issue
- To respect user privacy (do not collect user data)
So, what does this mean to the analyst? Well, looking around online, I see hits for gaming pages, but not much else, with respect to the Registry keys. Looking at one of my own systems, I see that beneath the above key that there is a subkey named "DiagnosedApplications", and beneath that several subkeys with the names of applications, one of which is "Attack Surface Analyzer.exe". Beneath each of these keys is a value called "LastDetectionTime", and the QWORD data appears to be a FILETIME object.
At first glance, this would likely be a good location to look for indications of applications being run; while I agree, I also think that we (analysts) need to have a better understanding of what applications would appear in these keys; under what conditions are artifacts beneath these keys created or modified. There definitely needs to be more research into this particular key. Perhaps one way of determining this is to create a timeline of system activity, and add the LastDetectionTime information for these keys to the timeline.
Andrew also recently released his Registry Decoder, "an open source tool that automates the acquisition, analysis, and reporting of Microsoft Windows registry contents. The tool was initially funded by the National Institute of Justice (NIJ) and is now ready for public release." I had an opportunity to take a look at a beta version of this tool, and I can definitely see the value of having all of the listed functionality available in one application. |
To get an idea of what this key might be all about, I did some research and found this page at the Microsoft site, with an embedded video. From watching the video, I learned that RADAR is a technology embedded in Windows 7 that monitors memory leaks so that data can be collected and used to correct issues with memory leaks in applications. The developer being interviewed in the video give four primary goals for RADAR:
- To perform as near real-time as possible memory leak detection
- To perform high granularity detection, down to the function
- To perform root cause analysis; data must be sufficient enough to diagnose the issue
- To respect user privacy (do not collect user data)
So, what does this mean to the analyst? Well, looking around online, I see hits for gaming pages, but not much else, with respect to the Registry keys. Looking at one of my own systems, I see that beneath the above key that there is a subkey named "DiagnosedApplications", and beneath that several subkeys with the names of applications, one of which is "Attack Surface Analyzer.exe". Beneath each of these keys is a value called "LastDetectionTime", and the QWORD data appears to be a FILETIME object.
At first glance, this would likely be a good location to look for indications of applications being run; while I agree, I also think that we (analysts) need to have a better understanding of what applications would appear in these keys; under what conditions are artifacts beneath these keys created or modified. There definitely needs to be more research into this particular key. Perhaps one way of determining this is to create a timeline of system activity, and add the LastDetectionTime information for these keys to the timeline.