SlideShare uma empresa Scribd logo

In-depth forensic analysis of Windows registry files

M
Maxim Suhanov

Uncovering the details of how a registry file is organized, how to locate & recover deleted data, and why third-party offline registry editors & viewers are failing to do their job well. Errata. - Page 8: "Zero-based", should be: "Zero-based, unset bits not counted". - Page 12: "multiple delete records (entities)", should be: "multiple deleted records (entities)".

Tecnologia
1 de 20
Baixar para ler offline
In-depth forensic analysis of Windows registry files Maxim Suhanov
Registry basics A typical registry path: HKEY_LOCAL_MACHINESoftwareMicrosoft This path is different in a kernel: • RegistryMachineSoftwareMicrosoft This hive is non-volatile (stored on a disk), backing files: • C:WindowsSystem32configSOFTWARE • C:WindowsSystem32configSOFTWARE.LOG (+ .LOG1/.LOG2) Predefined key Mount point of a hive Key Some hives do not have a visible mount point!
Hive format (NT family) Seven versions of the format: from 1.0 (pre-release versions ofWindows NT 3.1) to 1.6 (introduced inWindows 10 “Redstone 1”, not used yet) The structure of a hive file: Base block (file header) Hive bin Hive bin More hive bins Remnant data The base block contains the size of all [allocated] hive bins.
Hive format (NT family) A hive bin contains a header and cells. Hive bin Header Cell Cell More cells A cell may contain: • Key node (nk) • Key value (vk) • Key security (sk) • List of subkeys (li, lf, lh) • List of subkeys lists (ri) • List of values • Value data • Big data records (db) • List of segments • Value data segments The first 4 bytes of a cell are used to record the size of this cell (positive value: unallocated cell, negative value: allocated cell) The header contains the size of this hive bin.
Hive format (NT family) Records (entities) point to other records (entities) using a relative offset of a cell.A base block points to a root key node. File offset of a cell = Length of a base block + Relative offset of a cell File offset of a cell = 4096 + Relative offset of a cell Key node Key security List of subkeys List of values Key node Key node Key value Value data
Hive format (NT family) All registry structures are documented here: https://github.com/msuhanov/regf/
Transaction log files (NT family) • Before writing dirty data to a primary file, this data is stored in a transaction log file. • If a system crash occurs when writing to a transaction log file, a primary file will be intact. • If a system crash occurs when writing to a primary file, a transaction log file will be used to repeat the write operation. The old format (before Windows 8.1): Base block (backup copy) Dirty vector (bitmap) Dirty sectors (pages) Remnant data G a p
Transaction log files (NT family) • Every bit of the bitmap corresponds to a single 512-byte sector of the hive bins data in a primary file. • If set, a sector is dirty (and modified contents are in the transaction log file). Relative offset of a dirty sector in a transaction log file = Index of a bit in the bitmap * 512 Relative from the start of dirty sectors (pages). Zero-based. As of Windows XP, a single run of dirty data is not smaller than a page (4096 bytes).
Transaction log files (NT family) • A bad sector in a primary file results in the following:  Dirty data cannot be written to a primary file (to the location with a bad sector).  We cannot overwrite dirty data in an existing transaction log file (otherwise a system crash may leave us without a good copy of dirty data).  We cannot mark mounted hives as read-only.  No further writes (after a failed one) to a primary file will be allowed (new dirty data will be discarded).
Transaction log files (NT family) • Solution: the dual-logging scheme (starting from Windows Vista).  After a failed write to a primary file, switch the log file being used (.LOG1 -> .LOG2, .LOG2 -> .LOG1), and try the write operation again.  Repeat this until a bad sector is gone. Microsoft left the CmpFailPrimarySave kernel variable used to simulate failed writes!
Transaction log files (NT family) • The old format requires dirty data to be written to a disk twice. • The new format is used to stash dirty pages in a transaction log file without writing them to a primary file.These pages will be written to a primary file later. The new format (as ofWindows 8.1): Base block (backup copy) Log entries Remnant data Also, each log entry has a checksum for dirty data (Marvin32). • When all users are inactive. • During the full shutdown. • After 3600 seconds since the latest write.
Deleted data (NT family) • When a key or a value is deleted, all corresponding cells are marked as unallocated. • A cell will be coalesced with an adjacent unallocated cell. • A single unallocated cell may contain multiple delete records (entities).
Deleted data (NT family) Well, not all cells are marked as unallocated when a corresponding record (entity) is deleted… • In recent releases of Windows 10, renaming a key will leave an old key node in an allocated cell. • This key node will be present until the hive is defragmented. Thus, Cells with deleted data = All cells – Referenced cells
Deleted data (NT family) Also, deleted records (entities) can be found in: • Remnant data at the end of a primary file. • Slack space of allocated and referenced records (especially, in cells with subkeys/values lists). • Transaction log files (old log entries, remnant data, gaps). Distribution of recoverable deleted keys and values in primary files: • Unallocated cells: 97.9% • Remnant data at the end of a file: 0.6% • Slack space in allocated and referenced cells: 1.5% • Allocated but unreferenced cells: 0% (only 1 key was found) Preallocated space.
Caveats • Most registry viewers ignore data in transaction log files.  Registry Explorer, Windows Registry Recovery, Registry Recon, libregf, reglookup.  Latest changes to registry keys and values (made in Windows 8.1 and later versions of Windows) may be invisible to such tools.  Malicious programs can hide data from offline registry viewers by manipulating the CmpFailPrimarySave kernel variable (modified keys and values will be stored outside of a primary file). Example: A laptop with a USB cellular modem, building the timeline for the Software hive, looking for timestamps related to the activity of the modem. With transaction log files: 13 different key modification timestamps were found for a single registry key. Without transaction log files: 1 timestamp for that key.
Caveats • Offline registry libraries in antivirus software ignore transaction log files too.  Kaspersky Rescue Disk 10 (based on Linux) will delete malicious keys/values from a primary file only, without applying dirty data from a transaction log file.  When running Windows 8.1 and later versions of Windows, it is possible to create a malicious autorun entry that will not be deleted when performing an antivirus scan from Kaspersky Rescue Disk 10.  The same is also possible with older versions of Windows by exploiting the CmpFailPrimarySave kernel variable.
Caveats • When recovering deleted data from primary files, many tools skip the slack space of allocated records (entities). • 1.5% of recoverable keys and values are not recovered! Slack space A cell with a subkeys list Signature Number of elements Offset Offset Offset Offset Offset Cell size
Caveats • Treating the registry as a typical file system is dangerous too!  A subkey and a value of a single key can share the same name.  A name of a key or a value could be “.” or “..”.  Also: null byte, “/”, and “”. GRR: a value shadows a key with the same name
Yet another registry parser (yarp) https://github.com/msuhanov/yarp/ (library & tools, Python 3) - Parse Windows registry files in a proper way (with forensics in mind). - Expose values of all fields of underlying registry structures. - Support for truncated registry files and registry fragments. - Support for recovering deleted keys and values. - Support for carving of registry hives. - Support for transaction log files.
?

Recomendados

Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
aradhanalaw
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 

Recomendados

Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
aradhanalaw
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Oldsun
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
Arpan Raval
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
Rahul Badekar
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
Akash Karwande
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
CHA & LBA Addressing
CHA & LBA Addressing CHA & LBA Addressing
CHA & LBA Addressing
DINESH KAMBLE
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows file system
Windows file systemWindows file system
Windows file system
sumitjain2013
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and Engineers
Denis Magda
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
CHA & LBA Addressing
CHA & LBA Addressing CHA & LBA Addressing
CHA & LBA Addressing
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Windows file system
Windows file systemWindows file system
Windows file system
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 

Destaque

[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware
 

Destaque (20)

AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and Engineers
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Scale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOne
 
Graduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming Language
 
Communication hardware
Communication hardwareCommunication hardware
Communication hardware
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
 
What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?
 
numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017
 
DevRomagna / Golang Intro
DevRomagna / Golang IntroDevRomagna / Golang Intro
DevRomagna / Golang Intro
 
Advanced memory allocation
Advanced memory allocationAdvanced memory allocation
Advanced memory allocation
 
Go Execution Tracer
Go Execution TracerGo Execution Tracer
Go Execution Tracer
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
 
OpenFlow
OpenFlowOpenFlow
OpenFlow
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
 

Semelhante a In-depth forensic analysis of Windows registry files

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
Shu-Yu Fu
 
There are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docxThere are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docx
susannr
 
There are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docxThere are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docx
susannr
 

Semelhante a In-depth forensic analysis of Windows registry files (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Windows xp
Windows xpWindows xp
Windows xp
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Root file system
Root file systemRoot file system
Root file system
 
File system
File systemFile system
File system
 
File system
File systemFile system
File system
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Linux Systems Programming: File Handling
Linux Systems Programming: File HandlingLinux Systems Programming: File Handling
Linux Systems Programming: File Handling
 
File Handling In C++(OOPs))
File Handling In C++(OOPs))File Handling In C++(OOPs))
File Handling In C++(OOPs))
 
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
Embedded Systems: Lecture 14: Introduction to GNU Toolchain (Binary Utilities)
 
Linux Basics
Linux BasicsLinux Basics
Linux Basics
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
File system is full - what do i do
File system is full - what do i doFile system is full - what do i do
File system is full - what do i do
 
Windows
WindowsWindows
Windows
 
File system
File systemFile system
File system
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
DBMS
DBMSDBMS
DBMS
 
There are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docxThere are 4 parts for the project. The question may be long to read .docx
There are 4 parts for the project. The question may be long to read .docx
 
There are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docxThere are 4 part for the project and the question may be long to rea.docx
There are 4 part for the project and the question may be long to rea.docx
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 

In-depth forensic analysis of Windows registry files

  • 1. In-depth forensic analysis of Windows registry files Maxim Suhanov
  • 2. Registry basics A typical registry path: HKEY_LOCAL_MACHINESoftwareMicrosoft This path is different in a kernel: • RegistryMachineSoftwareMicrosoft This hive is non-volatile (stored on a disk), backing files: • C:WindowsSystem32configSOFTWARE • C:WindowsSystem32configSOFTWARE.LOG (+ .LOG1/.LOG2) Predefined key Mount point of a hive Key Some hives do not have a visible mount point!
  • 3. Hive format (NT family) Seven versions of the format: from 1.0 (pre-release versions ofWindows NT 3.1) to 1.6 (introduced inWindows 10 “Redstone 1”, not used yet) The structure of a hive file: Base block (file header) Hive bin Hive bin More hive bins Remnant data The base block contains the size of all [allocated] hive bins.
  • 4. Hive format (NT family) A hive bin contains a header and cells. Hive bin Header Cell Cell More cells A cell may contain: • Key node (nk) • Key value (vk) • Key security (sk) • List of subkeys (li, lf, lh) • List of subkeys lists (ri) • List of values • Value data • Big data records (db) • List of segments • Value data segments The first 4 bytes of a cell are used to record the size of this cell (positive value: unallocated cell, negative value: allocated cell) The header contains the size of this hive bin.
  • 5. Hive format (NT family) Records (entities) point to other records (entities) using a relative offset of a cell.A base block points to a root key node. File offset of a cell = Length of a base block + Relative offset of a cell File offset of a cell = 4096 + Relative offset of a cell Key node Key security List of subkeys List of values Key node Key node Key value Value data
  • 6. Hive format (NT family) All registry structures are documented here: https://github.com/msuhanov/regf/
  • 7. Transaction log files (NT family) • Before writing dirty data to a primary file, this data is stored in a transaction log file. • If a system crash occurs when writing to a transaction log file, a primary file will be intact. • If a system crash occurs when writing to a primary file, a transaction log file will be used to repeat the write operation. The old format (before Windows 8.1): Base block (backup copy) Dirty vector (bitmap) Dirty sectors (pages) Remnant data G a p
  • 8. Transaction log files (NT family) • Every bit of the bitmap corresponds to a single 512-byte sector of the hive bins data in a primary file. • If set, a sector is dirty (and modified contents are in the transaction log file). Relative offset of a dirty sector in a transaction log file = Index of a bit in the bitmap * 512 Relative from the start of dirty sectors (pages). Zero-based. As of Windows XP, a single run of dirty data is not smaller than a page (4096 bytes).
  • 9. Transaction log files (NT family) • A bad sector in a primary file results in the following:  Dirty data cannot be written to a primary file (to the location with a bad sector).  We cannot overwrite dirty data in an existing transaction log file (otherwise a system crash may leave us without a good copy of dirty data).  We cannot mark mounted hives as read-only.  No further writes (after a failed one) to a primary file will be allowed (new dirty data will be discarded).
  • 10. Transaction log files (NT family) • Solution: the dual-logging scheme (starting from Windows Vista).  After a failed write to a primary file, switch the log file being used (.LOG1 -> .LOG2, .LOG2 -> .LOG1), and try the write operation again.  Repeat this until a bad sector is gone. Microsoft left the CmpFailPrimarySave kernel variable used to simulate failed writes!
  • 11. Transaction log files (NT family) • The old format requires dirty data to be written to a disk twice. • The new format is used to stash dirty pages in a transaction log file without writing them to a primary file.These pages will be written to a primary file later. The new format (as ofWindows 8.1): Base block (backup copy) Log entries Remnant data Also, each log entry has a checksum for dirty data (Marvin32). • When all users are inactive. • During the full shutdown. • After 3600 seconds since the latest write.
  • 12. Deleted data (NT family) • When a key or a value is deleted, all corresponding cells are marked as unallocated. • A cell will be coalesced with an adjacent unallocated cell. • A single unallocated cell may contain multiple delete records (entities).
  • 13. Deleted data (NT family) Well, not all cells are marked as unallocated when a corresponding record (entity) is deleted… • In recent releases of Windows 10, renaming a key will leave an old key node in an allocated cell. • This key node will be present until the hive is defragmented. Thus, Cells with deleted data = All cells – Referenced cells
  • 14. Deleted data (NT family) Also, deleted records (entities) can be found in: • Remnant data at the end of a primary file. • Slack space of allocated and referenced records (especially, in cells with subkeys/values lists). • Transaction log files (old log entries, remnant data, gaps). Distribution of recoverable deleted keys and values in primary files: • Unallocated cells: 97.9% • Remnant data at the end of a file: 0.6% • Slack space in allocated and referenced cells: 1.5% • Allocated but unreferenced cells: 0% (only 1 key was found) Preallocated space.
  • 15. Caveats • Most registry viewers ignore data in transaction log files.  Registry Explorer, Windows Registry Recovery, Registry Recon, libregf, reglookup.  Latest changes to registry keys and values (made in Windows 8.1 and later versions of Windows) may be invisible to such tools.  Malicious programs can hide data from offline registry viewers by manipulating the CmpFailPrimarySave kernel variable (modified keys and values will be stored outside of a primary file). Example: A laptop with a USB cellular modem, building the timeline for the Software hive, looking for timestamps related to the activity of the modem. With transaction log files: 13 different key modification timestamps were found for a single registry key. Without transaction log files: 1 timestamp for that key.
  • 16. Caveats • Offline registry libraries in antivirus software ignore transaction log files too.  Kaspersky Rescue Disk 10 (based on Linux) will delete malicious keys/values from a primary file only, without applying dirty data from a transaction log file.  When running Windows 8.1 and later versions of Windows, it is possible to create a malicious autorun entry that will not be deleted when performing an antivirus scan from Kaspersky Rescue Disk 10.  The same is also possible with older versions of Windows by exploiting the CmpFailPrimarySave kernel variable.
  • 17. Caveats • When recovering deleted data from primary files, many tools skip the slack space of allocated records (entities). • 1.5% of recoverable keys and values are not recovered! Slack space A cell with a subkeys list Signature Number of elements Offset Offset Offset Offset Offset Cell size
  • 18. Caveats • Treating the registry as a typical file system is dangerous too!  A subkey and a value of a single key can share the same name.  A name of a key or a value could be “.” or “..”.  Also: null byte, “/”, and “”. GRR: a value shadows a key with the same name
  • 19. Yet another registry parser (yarp) https://github.com/msuhanov/yarp/ (library & tools, Python 3) - Parse Windows registry files in a proper way (with forensics in mind). - Expose values of all fields of underlying registry structures. - Support for truncated registry files and registry fragments. - Support for recovering deleted keys and values. - Support for carving of registry hives. - Support for transaction log files.
  • 20. ?