Introduction
The Windows Registry is a critical component of the Windows operating system, serving as a centralized hierarchical database that stores configuration settings and options. Understanding the Windows Registry is essential for forensic investigators as it holds a wealth of information that can be crucial in investigations involving computer crimes. This paper aims to provide a comprehensive guide to Windows Registry forensics, outlining its structure, key components, and the methodologies used in forensic analysis.
Structure of the Windows Registry
Registry Hives
The Windows Registry is divided into sections called hives, each containing keys, subkeys, and values. The primary hives are:
HKEY_CLASSES_ROOT (HKCR): Manages file associations and COM objects.
Example: This hive determines which application opens a .txt file. If Notepad is associated with .txt files, it will be recorded here.
HKEY_CURRENT_USER (HKCU): Stores settings specific to the currently logged-in user.
Example: Customizations such as the desktop background or user-specific application settings are stored in this hive.
HKEY_LOCAL_MACHINE (HKLM): Contains configuration data for the local machine.
Example: Information about installed software and hardware configurations are stored here.
HKEY_USERS (HKU): Holds settings for all user profiles on the system.
Example: Default user settings that apply to all users on the computer are stored in this hive.
HKEY_CURRENT_CONFIG (HKCC): Tracks the current hardware profile.
Example: Information about the current display settings and hardware profile configurations are found here.
Physical Structure
The Registry is backed by seven physical files located in the Windows system directory:
System: C:\Windows\System32\Config\SYSTEM
Software: C:\Windows\System32\Config\SOFTWARE
Security: C:\Windows\System32\Config\SECURITY
Sam: C:\Windows\System32\Config\SAM
Components: C:\Windows\System32\Config\COMPONENTS
NTUser.dat: Located in the user's profile directory.
UsrClass.dat: Located in the user's AppData\Local directory.
These files are loaded into memory during system startup and mapped to the corresponding hives.
Key Components of the Registry
Keys and Subkeys
Keys in the Registry are analogous to folders in a file system, containing subkeys and values. Each key can have multiple subkeys, forming a tree-like structure.
Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion contains subkeys related to the current version of Windows, including installed programs and system settings.
Values and Data
Values are the entries within keys that store the actual data. Each value has a name, a data type, and the data itself. Common data types include:
REG_SZ: A string value.
Example: The value ProductName under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion contains the string "Windows 10 Pro".
REG_DWORD: A 32-bit integer.
Example: The value NoDriveTypeAutoRun under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer controls whether AutoRun is enabled and is stored as a DWORD.
REG_BINARY: Binary data.
Example: The value IconStreams under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband contains binary data representing taskbar icon settings.
Dates and Times in the Registry
Last Write Time
Each Registry key has a Last Write Time, indicating the last time the key was modified. This timestamp is stored in FILETIME format, representing the number of 100-nanosecond intervals since January 1, 1601. Forensic investigators use these timestamps to determine when changes were made to the system, although they must be cautious as these times are approximate and can be affected by various factors.
Example: If the Run key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion has a Last Write Time of 2023-07-10 10:00:00, it indicates that a change was made to this key at that time, such as the addition or modification of a startup program.
Forensic Analysis of the Windows Registry
Tools for Registry Analysis
Several tools are available for analyzing the Windows Registry, including:
Cellebrite BlackLight: Parses and displays Registry artifacts.
Example: BlackLight can automatically display the installation date and version of the operating system by parsing the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion key.
Registry Explorer: Provides a detailed view of Registry hives and keys.
Example: Investigators can use Registry Explorer to manually browse through the Registry hives and examine keys and values related to user activity.
RECmd: A command-line tool for parsing and querying Registry data.
Example: RECmd can be used to extract specific keys and values from the Registry, such as a list of recently executed applications.
Common Forensic Artifacts
Last Executed Applications
The Registry tracks the execution of applications, which can be found in keys such as:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunMRU
Example: This key stores a list of programs recently run by the user, which can indicate what applications were used and when.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Example: This key tracks the last folders and files accessed through common dialog boxes, providing insights into recent user activity.
UserAssist
The UserAssist key (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist) records details about GUI-based programs launched by the user, including execution counts and last execution times.
Example: This key can reveal how frequently certain applications were used and the last time they were launched, which can help build a timeline of user activity.
Device Connections
USB device connections are tracked in the Registry under keys like:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
Example: This key contains information about USB storage devices that were connected to the system, including the device name and serial number.
HKLM\SYSTEM\CurrentControlSet\Enum\USB
Example: This key lists all USB devices connected to the computer, not just storage devices, which can be useful in identifying peripherals such as keyboards and mice.
Recent Documents
The RecentDocs key (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs) lists recently opened documents, providing insights into user activity.
Example: This key contains subkeys for different file extensions (e.g., .docx, .xlsx) and stores the paths to recently opened files, which can be used to determine what documents the user has been working on.
Account Usage
User account information, including login times and failed login attempts, can be found in the SAM hive under:
HKLM\SAM\SAM\Domains\Account\Users
Example: This key includes details such as user names, SIDs, and last login times, which can be critical in establishing user presence and activity on the system.
Case Study: Investigating Child Exploitation Cases
In cases of child exploitation, proving the suspect's knowledge and use of file-sharing applications is crucial. The Registry can reveal:
Download paths and shared files: Keys under HKCU\Software\Shareaza\Downloads can show where files were downloaded and what directories were shared.
Example: If the Registry shows that a directory containing illegal material was shared, it can be used as evidence of the suspect's intent to distribute the material.
Keywords searched within file-sharing applications: The HKCU\Software\Shareaza\Searches key can contain search terms entered by the user.
Example: If the search terms are related to illegal content, it can help demonstrate the suspect's intent and knowledge.
Times and frequencies of application usage: The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist key can show how often and when the file-sharing application was used.
Example: Frequent use of the application around the times illegal files were downloaded can strengthen the case against the suspect.
For example, the Shareaza application stores user-configured settings and search keywords in the Registry, which can be used to demonstrate the suspect's intent and knowledge of the software.
Conclusion
Windows Registry forensics is a powerful tool in the arsenal of digital forensic investigators. By understanding the structure and contents of the Registry, investigators can uncover critical evidence about system and user activities. This guide provides a foundation for conducting thorough and effective Registry analysis, helping to solve complex digital investigations.
References
Cellebrite. (2020). Windows Registry: A complete guide to examining the Windows Registry. Retrieved from Cellebrite.com
Microsoft. (n.d.). Windows Registry information for advanced users. Retrieved from Microsoft Documentation
BlackBag Technologies. (2017). Analyzing USB entries in Windows 7. Retrieved from BlackBagTech.com
Author
Emory “Casey” Mullis
Criminal Investigator
Coweta County Sheriff’s Office
Emory Casey Mullis has been in Law Enforcement for over 20 years, encompassing both military and civilian roles. His journey with computers began with a Gateway 266 MHz, which was the pinnacle of consumer technology at the time, costing around $2000. Driven by pure curiosity, he disassembled his new computer right out of the box, much to the dismay of his wife, who insisted, "It better work when you put it back together!" This hands-on experience provided him with a foundational understanding of computer hardware and sparked his career as a Cyber Investigator.
Over the years, Casey has tackled numerous cyber cases, continually honing his skills and knowledge. He emphasizes the importance of questioning, challenging, and testing daily to stay abreast of the latest tools, software, and technologies. Despite the ongoing challenges, he thrives on the dynamic nature of cyber forensics and eagerly embraces every opportunity to learn and grow in this ever-evolving field.
