Windows Registry

what is an operating system?

set of programs used to control and manage a computers hardware and system resources

windows is a series of OS's with a ___ developed my MS

GUI

how many file systems does Windows support?

six

what are the six file systems?

ReFS, NTFS, exFAT, FAT32, FAT16 and FAT12

the Windows Registry acts as a hierarchical ___ that stores system configs for users, applications and hardware

database

malware often uses the registry for persistence OR configuration data (t/f)

true, malware often uses the registry

what are some forensic significance of the Windows Registry?

internet searches, websites, passwords, user activity, screen saver, startup programs, etc

what two elements is the Windows Registry composed of?

keys and values

keys are akin to folders (t/f)

true, keys are like folders

keys do NOT contain subkeys or folders (t/f)

false, keys DO contain subkeys and folders

subkeys can have multiple subkeys (t/f)

true, keys can contain keys

how many hives does the Windows Registry have?

5* (5 are available to see)

what is the registry hive?

group of keys, subkeys and values in the registry with data supporting files and backup data

what is the root key?

five top level sections in the registry

what are the other names for the root key?

HKEY or hive

what is a subkey?

similar to a subfolder within a folder

what is a key?

folder in the registry containing additional folders or values

root keys are keys while subkeys are not (t/f)

false, root keys and subkeys are keys

what is a value entry?

an ordered pair with a name and value

what is a value or data?

data stored in a registry entry

what are the 5 root keys?

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

what does HKEY_CLASSES_ROOT have?

drag and drop rules, program shortcuts, user interface

what does HKEY_CURRENT_USER have?

user currently logged on

what does HKEY_LOCAL_MACHINE have?

settings common to entire machine, regardless of user

what does HKEY_USERS have?

settings for al users

what does HKEY_CURRENT CONFIG have?

system configuration necesarry during the startup process

what does the sixth key (HKEY_PERFORMANCE_DATA) have?

provides access to Windows performance counter information for the OS and apps

-> only provides links to performance data, not the data itself

how can you access the sixth key?

through programmatic means

keys act like folders because they contain subkeys or values (t/f)

true, keys act like folders

values are like files and store data (t/f)

true, values store data and are like files

root keys are bottom level containers mapped to hives on disk (t/f)

false, root keys are TOP level containers

what are some common data types?

REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ

registry keys and value are case sensitive (t/f)

false, reg keys and values are case INSENSITIVE

how many masters keys are in Windows Registry?

two

what are the two master keys?

HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS

what does HKEY_LOCAL_MACHINE include?

config data describing hardware and software installed on the computer

what does HKEY_USERS (HKU) include?

config data for each user that logs into the computer

the HKEY_CURRENT_USER is a registry hive file (t/f)

true, it is a hive file

HKEY_LOCAL_MACHINE\SYSTEM

core system configuration (ControlSets, Services, Hardware Profiles)

HKEY_LOCAL_MACHINE\SOFTWARE

global application and OS setting

HKEY_LOCAL_MACHINE\SAM

security account manager (local user DB and password hashes)

HKEY_LOCAL_MACHINE\SECURITY

local security authority (LSA) policy and secrets

HKEY_USERS\ (user profile)

per-user hive loaded as HKEY_CURRENT_USER

HKEY_USERS\_Classes (UsrClass.dat)

per-use COM and file association hive split from NTUSER.DAT, mandatory and relocated in Vista

if your hive is dirty, what can you replay to create a clean hive?

transaction logs

you should not copy the .LOG# files are a part of your investigation, as they are non important (t/f)

FALSE, please capture those they are VERY important

how can you decide which LOG# file to replay first?

sequence number

does the windows registry have valuable investigative information?

yea bro duh

CurrentControlSet is a runtime alias pointing to the active ControlSet00X set in HKEY_LOCAL_MACHINE (t/f)

true, it is an alias

what is the filepath of CurrentControlSet?

HKEY_LOCAL_MACHINE\SYSTEM\Select\Current

ControlSet001

last control set Windows booted with

ControlSet002

last known good control set, or the control set that last successfully booted Windows

ControlSet001 should be the same as ControlSet002 (t/f)

true, should be the same

"serial numbers" shown in USBSTOR are always genuine manufacturer serial numbers (t/f)

false, they are not always constant

how would the same "serial" string appear for different drives?

if the device uses an enclosure or adapter that exposes a generic descriptor

the serial shown is the enclosures ID rather than the drives own serial number (t/f)

true

some analytic tools and documentation treat the "serials" as unique. what is the problem with that?

research shows that this is incorrect, so it can lead to wrong conclusion

what are shell bags?

set of config information for file system folders that are accessed via Windows Explorer

what are the two subkeys in shellbags?

bags and bagMRU

what is the Bags subkey?

list of all shellbags

what is the BagsMRU subkey?

list of folders that have been used most recently

if a directory is in a shell bag, that means...

the user has accessed that directory at least once

when were shellbags introduced?

Windows XP

shell bags are also placed in UsrClass.dat starting with what windows version?

Windows 7+

registry analysis

never work on the original, make a copy

should you use 3rd party tools for analysis?

yes, absolutley

what does a blank RegBack folder mean?

nothing, Windows10 stopped the automatic System Registry backup to the RegBack folder to reduce disk inprint of Windows

what should you use instead of RegBack to analyze registry evidnece?

Volume Shadow Copies (VSCs)