Monday, October 28, 2013

Windows Systems and Artifacts in Digital Forensics, Part I: Registry



Learning about artifacts in Windows is crucial for digital forensics examiners, as Windows accounts for most of the traffic in the world (91.8 of traffic comes from computers using Windows as their operating system as of 2013) and examiners will most likely encounter Windows and will have to collect evidence from it in almost all cyber-crime cases. Below, we will discuss several places from which evidence may be gathered and ways to collect information from Windows.
Windows actually provides a great abundance of artifacts and being aware of these artifacts is helpful not only for examiners but for companies and individuals (just to name a few reasons) trying to permanently and irrevocably erase sensitive information or perform informal investigations.
Before we start, we have to mention that collecting evidence is not the sole challenge to examiners; the challenge is to locate and identify, collect, preserve, and interpret the information; whereas collecting it is only one piece of the puzzle. In this paper, we will only be able to have a glimpse of this wealth of artifacts but its forensic significance will be immediately unveiled to us.

The things you will find in this article

In the first part of this series we are going to discuss the Windows registry, its structure, backups and supporting files, examples from case files which reveal how instrumental the registry might be in prosecuting suspects, and some open source tools.


What is the Windows registry and what is its structure?

The Windows registry is an invaluable source of forensic artifacts for all examiners and analysts. The registry holds configurations for Windows and is a substitute for the .INI files in Windows 3.1. It is a binary, hierarchical database and some of its contents include configuration settings and data for the OS and for the different applications relying on it. The registry not only keeps records of OS and application settings but it also monitors and records user-specific data in order to structure and enhance the user’s experience during interactions with the system. Most of the time users do not interact with the registry in a straightforward manner, but they interact indirectly with it via installation routines, applications, and programs, such as Microsoft Installer files. Nonetheless, system admins have the capability of interacting directly with the registry via regedit.exe (the registry editor) that comes with all varieties of Windows.

Figure 1: How the Windows registry looks like through the eyes of the registry editor, along with the registry’s nomenclature.
Figure 1 gives the impression that the structure of the registry is the much familiar folder-based one, but this is merely an abstraction designed by the registry editor. In reality, the registry is just a collection of files located on the user’s hard drive. The registry files in charge of the system and the applications on the user’s machine are located in the following path: Local Disk:\Windows\system32\config, while the registry files in charge of data that is related to the user and his application settings are located in the Windows user profile directory called ntuser.dat and usrclass.dat.
Furthermore, Figure 1 reveals that the binary structure of the registry is based on cells, the notable ones being keys and values. Although additional cell types exist, it can be said that they act as pointers to other keys (subkeys) and values. Values encompass data and they do not direct to other keys.

==> Read More

No comments:

Post a Comment

Support : Relax Viet
Copyright © 2013. Security24h - All Rights Reserved
Design by Namkna
Best View Resolution 1024 x 768 pixel