Overview of Viewing and Capturing the Registry
There are several techniques that can be used to examine the Registry, each of which has its own merits. If time is of the essence (such as in an ongoing intrusion), an examiner could choose to access the Registry on a live system by using the computer’s “regedit” command. Obviously, this will make a number of changes to the computer and does violate “the golden rule” of digital forensics. However, in doing so, the examiner might be able to quickly determine the extent of the intrusion. Alternately, the examiner could use a USB triage device containing tools to view the Registry directly (e.g. Registry Commander) or to export it for further examination (e.g. FTK Imager’s “Obtain Protected Files” functionality). The USB device itself can also serve as the storage location for the exported Registry. Note, however, that attaching a USB device to a live system will update the Registry. Prior to using this approach, it is extremely important for the examiner to have verified on a test computer what Keys are affected when a USB device is attached to a live system. Likewise, the tools themselves need to undergo some sort of verification and/or validation process before being used for examination purposes. Documentation must be maintained in both instances to demonstrate that no probative information was compromised on a target system.
As previously mentioned, Registry Commander (which also provides the “Last Write Time” when a Key was accessed) can be used to manually examine the Registry on a live system. However, this could turn out to be a time consuming task. Another tool, such as Autorun, can be used to quickly provide a wealth of information about the Registry, such as what programs are configured to run during system boot up or login. Alternately, FTK Imager can be used to capture and export the Registry for a thorough offline examination using other tools such as RegRipper, WRA, Registry Viewer, KUSTAR, or Registry Report. Using either of these methods, the examiner will only be concerned with examining the Registry itself.
If time is not an issue, the examiner can perform a live acquisition of the computer’s hard drive using a USB triage device containing an acquisition tool (e.g. FTK Imager’s “Create Disk Image” functionality). During the acquisition, changes will be constantly occurring to the computer hard drive and to the Registry itself. Depending upon the circumstances, the computer could be powered down and its hard drive acquired post-mortem. In either instance, the image captured would have to be examined on a forensic computer using other forensic tools such as EnCase or FTK. The Registry could be examined manually or the files extracted and examined.
Registry Forensics: General Forensic Information
There are thousands of Keys in the Registry. Choosing which ones to examine would depend upon the type of investigation being conducted. As a simplified guide, many of the forensically important Keys can be grouped into several broad categories based upon what potential probative information they may provide: General Forensic Information, Attached Devices, Security Identifiers, and Intrusion Related Activities. (Note: the Keys discussed are by no means a complete listing and others not cited could be of importance.)
1. SYSTEM and USER INFORMATION:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion Information about the version of Windows, the product key, the registered owner, the installation type, the system root directory, and other data are maintained in this Key.
2. LAST WRITE TIME:
Keys contain an associated Value called the “Last Write Time” (LWT) which is updated when a Key is created, modified, or accessed. Only the LWT of a Key can be obtained, not the LWT for a particular value. Knowing the LWT of a Key can infer the approximate date or time an event occurred. Although it may be difficult to determine what value was actually changed, it can help correlate the LWT of a Key and other information, such as MAC times found in the file system.