Windows Forensic 101
Last updated
Last updated
Digital forensics is the process of identifying, obtaining, preserving, examining, and presenting any type of digital object—such as sound, image, data, information, or their combinations—stored or transmitted through electromagnetic and electro-optical environments, in a way that maintains its value as digital evidence in court.
The term "artifact" is frequently heard during forensic analysis. Forensic artifacts are crucial pieces of information that provide evidence of human activities. For example, fingerprints at a crime scene, a broken button, or tools used to commit a crime are considered forensic artifacts. By analyzing these artifacts together, investigators can understand how the crime was committed.
In computer forensics, forensic artifacts are small traces left on a computer system. Especially on Windows systems, various artifacts can be used to track a user's actions. These artifacts are typically found in system areas that regular users do not usually access and can be analyzed for forensic purposes.
The Windows Registry is a collection of databases containing the system's configuration data. This configuration data can be related to hardware, software, or user information. It also includes data about recently used files, programs that have been run, or devices connected to the system.
The Windows Registry is made up of Keys and Values. When you open the regedit.exe tool to view the registry, the folders you see are Registry Keys. Registry Values are the data stored within these Registry Keys. A Registry Hive is a group of keys, subkeys, and values stored in a single file on the disk.
If you have access to a live system, you can access the registry using regedit.exe and view the standard root keys. However, if you only have a disk image, you should know that most of the registry hives are located in the C:\Windows\System32\Config directory. Besides these hives, there are two other registry hives containing user information found in the user's profile directory. For Windows 7 and later, a user's profile directory is located at C:\Users<username>, and these hives are:
NTUSER.DAT: Stores user-specific information such as desktop settings and personal configurations for each user.
USRCLASS.DAT: Stores additional settings related to the user's interface and application preferences.
In addition to these, there is another registry hive called AmCache. This hive is located at C:\Windows\AppCompat\Programs\Amcache.hve. Windows stores information about programs recently executed on the system within this hive.
Transaction logs are files that track registry changes, and Windows uses these logs when writing data to store the latest changes that may not yet be reflected in the registry hives. Each transaction log is stored in the same directory as the corresponding hive with a .LOG extension.
In contrast to transaction logs, registry backups contain backups of the registry hives. These backups are copied every ten days to the C:\Windows\System32\Config\RegBack directory.
Let's examine what kind of information can be obtained from which registry keys during a forensic analysis:
First, the operating system version is checked:
Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
The hives containing configuration data used during the machine's startup are called "Control Sets". ControlSet001 represents the control set that the machine booted from, while ControlSet002 represents the last known good configuration.
The SYSTEM\Select\LastKnown\Good key stores the last successful boot configuration in which the Windows operating system operated without issues.
To find the computer name:
HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
When conducting an investigation, it is crucial to know the system's time zone information. To find the system's time zone information:
HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
In network interfaces, each interface is represented by a unique identifier (GUID) subkey, which contains values related to the interface's TCP/IP configuration. This key provides information such as IP addresses, DHCP IP address, Subnet Mask, and DNS Servers. To list the interfaces:
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Previously connected networks:
HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
The Managed key represents managed network connections. These types of networks are typically those connected to a domain or managed by a network administrator.
The Unmanaged key represents unmanaged network connections. These types of networks are typically those set up independently by users or networks that are not managed.
The registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce are used to manage programs that will run when the user logs in.
The Run key contains a list of programs that will be run every time the user logs in. Programs added to this key are automatically started each time the user logs in. Unless the user removes these programs from the key, they will continue to run at every login.
The RunOnce key contains a list of programs that will be run only once when the user logs in. Programs added to this key are executed once when the user logs in, and then they are automatically deleted from the registry. These programs will not be run during the next login.
These keys can also be found under c:\Users<username>\NTUSER.DAT.
The HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run registry key enables specific programs to be automatically run when a user logs into Windows. It is typically configured by system administrators or users to ensure certain applications are launched at every login. This key is related to security policies and can be used to enforce the execution of unwanted applications, making it important to monitor it carefully.
Malware can register itself in these keys to automatically run, and when the user starts the system, the malware will also start automatically.
The SYSTEM\CurrentControlSet\Services registry key contains the configurations and statuses of the operating system's installed services.
In this registry key, when the start key is set to 0x02, it means that the service should start when the computer is booted.
The SAM (Security Accounts Manager) registry entry contains user account information, login details, and group information. This information is primarily located at the following location:
SAM\Domains\Account\Users
Under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key, data related to the extensions and locations of the files recently opened by the user is stored. It can be found under the NTUSER.DAT file using Registry Explorer.
Similar to the Recent Documents list maintained by Windows Explorer, Microsoft Office also keeps a list of recently opened documents. This list is also stored in the NTUSER registry hive and can be found at the following location:
NTUSER.DAT\Software\Microsoft\Office\VERSION
When a user opens a folder in Windows, it opens with a specific layout, and users can change this layout according to their preferences. Different folders can have different layouts. This layout information is stored by the Windows "shell" and can define the most recently used files and folders. Since these settings are unique to each user, they are found in the user-specific hives. This information can be accessed at the following locations:
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Windows remembers the last locations used for opening or saving files and suggests these locations the next time. To access this information, specific registry keys are examined.
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
OpenSavePIDlMRU: This key stores the "Most Recently Used" (MRU) list of files and directories that were last opened or saved by the user. When the user uses the file open or save dialog window, the paths of the most recently used files and directories are stored under this key. This list helps users quickly access files they have used before.
LastVisitedPidlMRU: This key stores the MRU list of directories that were last visited by the user. When the user navigates in the file open or save dialog window, the paths of the last visited directories are stored under this key. This list tracks which directories the user has recently visited and provides quick access to them.
Another way to determine a user's recent activity is to examine the paths typed into the Windows Explorer address bar or searches made by looking at the following registry keys.
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
TypedPaths: Stores file paths entered by the user and provides quick access to previously used file paths. TypedPaths stores paths manually entered into the Windows Explorer address bar.
WordWheelQuery: Stores search terms entered by the user and provides quick access to previously used search queries. WordWheelQuery stores the search queries made by the user in the Windows search bar.
Windows tracks applications launched by the user via Windows Explorer for statistical purposes in the UserAssist registry keys. These keys contain information about launched programs, their launch times, and how many times they have been run. However, programs run via the command line are not found in these keys. The UserAssist key is located in each user's GUID in the NTUSER hive. The location of this key is as follows:
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count
Shimcache is part of the Windows application compatibility cache, AppCompatCache. The shim mechanism is used to ensure older applications work smoothly with newer versions of Windows. Shim is responsible for storing the metadata of executable programs in the registry. This data provides information about whether a program has run or not. The event flow inside is sorted in a chronological order, with the most recent event appearing first.
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
The AppCompatParser tool by Eric Zimmerman can be used for analysis. The application is run via the command line and outputs a .csv file.
AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>
Background Activity Monitor (BAM) and Desktop Activity Moderator (DAM) are components used by Microsoft Windows to monitor the activity of background applications. BAM tracks the activities of background applications, while DAM helps optimize the device's power consumption.
In the Windows registry, information related to BAM and DAM can be found at the following locations:
HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications
HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Power\PowerSettings
HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings
These locations contain information such as the most recently executed programs, their full paths, and the last execution times.
The following locations allow for tracking USB drives connected to a system. These locations store the vendor ID, product ID, and version of the connected USB device, which can be used to identify unique devices. They also record when the devices were plugged into the system.
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SYSTEM\CurrentControlSet\Services\UsbStor
SYSTEM\CurrentControlSet\Enum\USB
SOFTWARE\Microsoft\Windows Portable Devices\Devices
Similarly, the following registry key tracks the time when the device was first connected, the last time it was connected, and the last time the device was removed from the system.
SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven\_Prod\_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####
