Windows Registry Forensic Analysis Part 1 - Windows Forensics Manual 2018 | Lucideus
Newer versions keep popping up with newer Features and Updates. Most common Operating Systems that is used is Windows which gives a friendly user interface and much more facilities to the user. Each OS uses some type of file structure called Registry to store its files information and settings. In this document, we are focusing only on the Microsoft Windows 10 Version 1803 (OS Build 17134.165).
In early versions of Windows, specific system files used to stored information in directories consisting information about default or user customized application, security or software settings. Later, user settings and other relevant information were systematically encapsulated to a structured format known as the Windows Registry. We can summaries windows registry in a few simple facts:
- Registries are Robust
- Helps individual software communicate better
- Stores data in a hierarchical structure to keep things organized
- Serves as an archive for collecting and storing configuration settings.
- Supports multiple users (User-specific data)
- System Components are stored in main folders called HIVE
- The information is Time Stamped
This document further introduces about Windows Registries and how they are Important from the forensics point of view and how they can help in getting evidence to prove or disprove the case. The document also describes where these registries are stored in the system directory and what are the most important registry keys that can be helpful. Each key is described with its location in the Registry Hive.
About Windows REGISTRY
The Registry is a various levelled or we can say a hierarchical database that stores low-level settings and other information for the Microsoft Windows Operating System and for applications that pick to utilize the registry. From the point of installation of operating system, registries are used. Kernel, Device Driver settings to the Hardware and User Interface all settings are stored in the windows registry.
When Programs and Applications are installed in the system their configurations and default values are stored in the registry although there are some applications which do not utilize windows registry. For example, .NET framework applications use XML files for configuration, Portable applications usually keep their configuration data within files in the directory/folder where the application executable resides.
Importance of Registry in Windows Forensics
For a Forensic analyst, the Registry is a treasure box of information. It is the database that contains the default settings, user, and system defined settings in windows computer. Registry serves as repository, monitoring, observing and recording the activities performed by the user in the computer. The Data is stored in the main folders in a Tree like structure which is called Hive and its subfolders are called KEYS and SUBKEYS where each component’s configuration is stored called VALUES. Some Important aspects of Windows Registry are:
- Windows Registry can be considered as a gold mine of forensic evidence.
- We can create new registries manually or we can modify the ones that already exist.
- Original files that contain registry values are stored in the system directory itself.
- Registry files are system protected and can not be accessed by any user unless administration access is provided.
- For the investigation purpose, the forensic investigator analyzes registry files via tools such as Registry Viewer, Regshot, Registry Browser etc..
- Trojans and Malware information can be found in the registries.
Main Registry Hives
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE/SAM
- HKEY_LOCAL_MACHINE/SOFTWARE
- HKEY_LOCAL_MACHINE/SECURITY
- HKEY_LOCAL_MACHINE/SYSTEM
- HKEY_USERS
- HKEY_CURRENT_CONFIG
While acquiring registry files from the system we need to use an Imaging tool which can obtain system protected files because then only we can access and analyze them with the help of registry viewer. We can not obtain these files directly from the system because they are currently being used by the system to access registry editor. The HKEY_CURRENT_USER data file is stored in a file called NTUSER.DAT located at “%SystemRoot%\Users\”.
Other Important files that are monitored in HKEY_LOCAL_MACHINE are SAM, SOFTWARE, SECURITY, SYSTEM which are located at “%SystemRoot%\Windows\System32\config” along with some other files that are also important from the forensic perspective. These files do not have any file extension which makes it harder to access by users.
Figure 1: Path for HKEY_CURRENT_USER file NTUSER.DAT
Figure 2: Path for HKEY_LOCAL_MACHINE files SAM, SYSTEM, SOFTWARE, SECURITY
Detailed Explanation
HIVE Description
HKEY_CLASSES_ROOT This is the largest of the keys in terms of the space occupied.
This is the merger of two keys with respect to per-user settings.
HKLM\Software\Classes and HKCU\software\Classes are merged together to create HKEY_CLASSES_ROOT. 
Figure 3: HKEY_CLASSES_ROOT HiveHKEY_CURRENT_USER HKCU keys are current user settings that are specific to the currently logged on user.
It is derived from a link to HKCU\SID where SID is the Security Identifier of the user.
Each user gets its own user key to store unique settings. 
Figure 4: HKEY_CURRENT_USER Hive HKEY_CURRENT_CONFIG It is used to organize the current hardware config profile which is derived from link to HKLM\System\CurrentControlSet\HardwareProfiles\Current. 
Figure 5: HKEY_CURRENT_CONFIG HiveHKEY_USERS HKU contains the settings that are applied to all the users. All the HKCU keys are maintained under this key. 
Figure 6: HKEY_USERS HiveHKEY_LOCAL_MACHINE HKLM is used to organize the current the computer settings. These settings are applied to the machine and all of the users that it contains. 
Figure 7: HKEY_LOCAL_MACHINE HiveHKEY_LOCAL_MACHINE/ SAM SAM stands for System Account Manager. This key is used to store and organize all the system passwords. This is a system protected file. SAM key is most important for an attacker to exploit the system. 
Figure 8: System Account Manager Key Under HKEY_LOCAL_MACHINE Hive.HKEY_LOCAL_MACHINE/ SOFTWARE Most programs that are installed in the system create keys in HKLM\Software section in the windows registry. This key contains all the configuration settings, Executables, Path, and Uninstallation information. 
Figure 9: Software Key Under HKEY_LOCAL_MACHINE Hive.HKEY_LOCAL_MACHINE/ SECURITY HKLM security contains the security database of the domain into which the current user is logged on. This key is linked to the local machine and the kernel reads it to enforce the security policy applicable to the current user and all applications or operations executed by the user. Security key usually looks empty unless the administrative access is given. 
Figure 10: Security Key Under HKEY_LOCAL_MACHINE HiveHKEY_LOCAL_MACHINE/ SYSTEM HKLM System is one of the most important registries which is located in the config folder of windows system32 directory. This key contains all the system configurations of all the users. It can only be modified if the administrative access is provided. Information such as System Default settings, External Drives, Kernel settings, and all applications that execute or perform any operation which uses HKLM Security key.
Figure 11: System Key Under HKEY_LOCAL_MACHINE Hive
HIVE | Description | ||||
HKEY_CLASSES_ROOT | This is the largest of the keys in terms of the space occupied. This is the merger of two keys with respect to per-user settings. HKLM\Software\Classes and HKCU\software\Classes are merged together to create HKEY_CLASSES_ROOT. | ||||
| |||||
HKEY_CURRENT_USER | HKCU keys are current user settings that are specific to the currently logged on user. It is derived from a link to HKCU\SID where SID is the Security Identifier of the user. Each user gets its own user key to store unique settings. | ||||
Figure 4: HKEY_CURRENT_USER Hive | |||||
HKEY_CURRENT_CONFIG | It is used to organize the current hardware config profile which is derived from link to HKLM\System\CurrentControlSet\HardwareProfiles\Current. | ||||
Figure 5: HKEY_CURRENT_CONFIG Hive | |||||
HKEY_USERS | HKU contains the settings that are applied to all the users. All the HKCU keys are maintained under this key. | ||||
Figure 6: HKEY_USERS Hive | |||||
HKEY_LOCAL_MACHINE | HKLM is used to organize the current the computer settings. These settings are applied to the machine and all of the users that it contains. | ||||
Figure 7: HKEY_LOCAL_MACHINE Hive | |||||
HKEY_LOCAL_MACHINE/ SAM | SAM stands for System Account Manager. This key is used to store and organize all the system passwords. This is a system protected file. SAM key is most important for an attacker to exploit the system. | ||||
Figure 8: System Account Manager Key Under HKEY_LOCAL_MACHINE Hive. | |||||
HKEY_LOCAL_MACHINE/ SOFTWARE | Most programs that are installed in the system create keys in HKLM\Software section in the windows registry. This key contains all the configuration settings, Executables, Path, and Uninstallation information. | ||||
Figure 9: Software Key Under HKEY_LOCAL_MACHINE Hive. | |||||
HKEY_LOCAL_MACHINE/ SECURITY | HKLM security contains the security database of the domain into which the current user is logged on. This key is linked to the local machine and the kernel reads it to enforce the security policy applicable to the current user and all applications or operations executed by the user. Security key usually looks empty unless the administrative access is given. | ||||
Figure 10: Security Key Under HKEY_LOCAL_MACHINE Hive | |||||
HKEY_LOCAL_MACHINE/ SYSTEM | HKLM System is one of the most important registries which is located in the config folder of windows system32 directory. This key contains all the system configurations of all the users. It can only be modified if the administrative access is provided. Information such as System Default settings, External Drives, Kernel settings, and all applications that execute or perform any operation which uses HKLM Security key. | ||||
| Figure 11: System Key Under HKEY_LOCAL_MACHINE Hive | |||||
Conclusion
Windows Registry is a significant forensic resource which provides a comprehensive picture of the case. With the techniques that are described in this document, an investigator can precisely acquire the registries from the compromised system. We have demonstrated the format of registry and the data it can uncover. If a single key is unreadable then it’s subkeys below that tree are also inaccessible to read. There are various tools that are used to read and analyze. In addition to that, we also have the option to parse the registry tree via the command line by using regedit.exe.
Windows Registry is essential and the exploration on it still continues. Regardless of whether we have known each key, subkey, and the value of Windows Registry, despite everything we need to consider how to utilize them in genuine cases. In the second part of this document, the important keys and subkeys are explained by their location and the data it contains to help the forensic investigation.
Windows Registry is essential and the exploration on it still continues. Regardless of whether we have known each key, subkey, and the value of Windows Registry, despite everything we need to consider how to utilize them in genuine cases. In the second part of this document, the important keys and subkeys are explained by their location and the data it contains to help the forensic investigation.
