Before I start, I want to apologize for the length of this article. In my defense, contains many images, that I wanted to cover in order to reach a better understanding.
It’s imperative be calm, focus and keep the mind clear, whatever the environment, whatever the analysis that we’re doing. (Right now, for example, these are not good times while I write this article and my head is somewhere else. I apologize for that).
In the previous post, dedicated to the use of RegRipper, we saw very superficially, how can we analyze it and some examples of what type of information we can extract about It.
I said that, RegRipper, is an excellent tool in this field of Forensic Analysis. But it is not the only one.
Normally don’t ask me what tools that I use but, when they do, I always say the same answer. I say the name of some tools and, below, I answer:
Don’t ask what tool I use. Use a with which you feel confortable.
And for that reason, you have to know what tools are out there, what our chances are to work at every scene. Because there are no two similar cases, there are no two same analysis.
You know that be curious isn’t an option 😉
Also, It should be noted that, in my view, each system and each tool, has inherent advantages and disadvantages.
For example, I feel very confortable working with RegRipper in my Linux Lab, using CLI, (Command-line interface). But, for example, this tool can’t parse all Windows Registry and, in my view, I think that It works on reports, (personal opinion). Sometimes, this is comfortable but others, is necessary a more in-depht study of the Registry, see it in its natural state, see its hierarchical estructure, to try to understand how it works, (I already said that requires a lot of time of study).
For example, I feel very confortable working with other tool in my Windows Lab, using a graphical interface, that allow me to interact otherwise with the Registry.
And, at this point, I must say that It’s necessary that we sit comfortable and we feel comfortable with what we’re working. Into a Forensic Analysis, there are many types of evidences to analyse. A few with ‘little’ difficulty and others with a level of complexity very high. For example, doesn’t require the same focus conduct a carving, or extract a browsing history, that carry out a study of the Windows Registry, that I said that is an essential and fundamental step in any case.
Therefore, I want to talk you about Registry Explorer, developed by Eric Zimmerman, author of the Blog https://binaryforay.blogspot.com.es/, SANS instructor, author of the book “X-Ways Forensics Practitioner’s Guide“, that he wrote with Brett Shavers, about whom I already talked in the article related to WinFE. He’s a biography very extensive, emphasizing his activity as FBI special agent, where he did a great job in the design and development of software related with investigations of sexual children abuses. He has developed more than a dozen tools, very useful in DFIR field. In particular, he developed Registry Explorer because the available analysers did not offer features what he was looking for, and is the basis of other software developed by he.
What is Registry Explorer? “A Registry viewer powered by plugins.” That easy.
It is a complete parser, offline, of the Windows Registry, Written in C#. “Registry Explorer is a GUI based tool used to view the contents of offline Registry Hives. It has the ability to load multiple hives at once, search across all loaded hives using strings or regular expressions, exporting of data, and much more.”
It “contains powerful searching, filtered and other visualization concepts that makes exploring Registry hives very easy while exposing all of the technical information contained in Registry hives.” It can recover deleted keys and associate them.
It’s a very powerful tool, with which I feel very comfortable working. Not for nothing, It’s recommended by ENISA, (European Union Agency for Network and Information Security), in their manual “Forensic analysis Local Incident Response Handbook, Document for teachers“.
Before we start, It is necessary to install Microsoft .net framework 4.6, that we download from the site of Microsoft.
It’s really easy to use, very intuitive, full of tips. In addition, It’s very, very well documented, with a PDF manual, of 81 pages, that you must read, that he is kept under review, and that is located inside the directory of the tool. Therefore, as usual, and the introductions made, We’ll proceed to download It from your oficial site.
As it has a really good manual, I will try to dispense with the basic explanations. I repeat that Its manual is a must read.
So, after opening Registry Explorer, we proceed to load the first of the hives that we’ll see in this article.
In this first example that I want to show, I loaded the hive related to ‘Amcache.hve‘. The first thing we see, besides the name of the hive and the root key, are the timestamps. These marks will accompany us throughout the analysis
We can, we must browser calmly by this hive, unfolding all its keys and subkeys. And we need to ‘lose’ the time in Its analysis because you can extract very interesting data. For example, if we browser through the ‘File‘ key, we can obtain information about programs, or simple executables, that have been used recently
Also, and although I have not seen anything documented about it, I find it very interesting to know to which equipment belongs the System that we are analyzing. For example, if we browser through the ‘Hardware‘ key, we can obtain information about the equipment, (physical), to which this System belongs, such as the equipment name, make, model and serial number.
I have said that this tool is full of tips. We can see in the bottom left, permanently, information of the path to the key that we have selected. It is enough to us to pass the cursor over some elements to be able to indicate, for example, that it shows us the name of the root key.
This tool allows us to create bookmarks in any registry key, which will associated with a type of hive and a path, which we can add using the ‘Add bookmark‘ option in the drop-down menu
To which we assign a name and a category, with the option to establish a description
So that we have it available in future analyzes, through the option ‘Bookmarks> User created> Name assigned‘, and that will take us directly to the indicated key, without needing to look for it again
And that we can see through ‘Bookmark Manager‘
We can also extract information about the Operating System, such as the license number, or the time zone, if we place ourselves in the key ‘OS‘
And even information about the processor that uses the computer on which the System was installed, if we place ourselves on the key ‘Processor‘
As I said, it is very interesting to ‘lose’ a little time in browse all the keys of the hive. Even for those that have been deleted, since this tool can recover deleted entries, It has been possible to associate or not, because we can find, for example, if we browse through the key ‘InventoryDevicePnp‘, information about Devices, in this case bluetooth, that have been connected to the System
We can even move through the ‘Programs‘ key to see information about the software installed in the System and obtain, among others, the name of the program, the version, the installation path.
I’ll now load the hive relative to ‘UsrClass.dat‘. We can see that the ‘Registry hives‘ tab shows the loaded hive. This tool, we said, can work on bookmarks. One option to reach these bookmarks is through the ‘Available bookmarks‘ tab, which in this case shows us one. In this case, the relative to ‘BagMRU‘, which is a set of registry keys that store details about a displayed folder, such as its size, position and icon. That is, it will show us the activity of the user, owner of this file, related to the access to resources in the System.
And we can browse quietly by It, unfolding all his keys, seeing Its corresponding time stamps
To obtain all kinds of information. We will see that it is not small information that keeps this hive. We start by seeing the very key ‘BagMRU‘
That presents us this data, exposed in Base64, and that can imply some difficulty in its interpretation
Even if we use the data type viewer that incorporates this tool, which may contain one or more tabs that adjust dynamically depending on the type of value selected, including a hexadecimal viewer, there could be some difficulty for its correct reading, as can be seen in this example.
To help us in this interpretation, we have an option that will make us that data conversion into a clear and understandable language, called data interpreter
That It will be displayed in a new popup window. In addition to interpreting and converting the data that we select, it has a very interesting option. It can convert the GUID, (Universally unique identifier) to known folder and location names. Now, if we select a single byte, a single address, we can read information that will indicate that, for example, the element ‘My Computer‘ has been accessed.
And if we select a range of positions, a number of bytes, we will get the same results, since it is only necessary to mark the initial byte so that the interpreter does its work. In this case, by selecting a range we can see that a search was made on a removable drive, marked with the letter ‘D‘
We can determine that the ‘Home Folder‘ site has been accessed
And by browsing the keys and subkeys, we can reconstruct a path that has been accessed, including actions performed with files
At all times we will be informed in which direction we are positioned and the number of bytes that we have selected
I will now load the hive relative to ‘NTUSER.DAT‘, which contains all profile information for a given user.
For this example we will use the bookmarks, which can also be accessed from the top menu, via ‘Bookmarks> Common> …‘
So, for example, we can select the relative to ‘7-zip‘
That It will take us directly to its corresponding key, and we can explore to see both its configuration and its usage history
From which we can extract the information of the files used with this compressor, as well as its path.
We can head for the bookmark ‘WordWheelQuery‘
To take us to the key that contains information about searches performed in Windows Explorer
We can use the ‘UserAssist‘ bookmark
That It will take us to a key, which contains other subkeys, and which will show us the information regarding the programs recently executed by the user
Containing the complete path of the executable, a counter and its corresponding time stamps.
Another option that presents this tool and I think it very interesting is the option to hide the keys, which we can use, for example, when we finish the analysis of a key or we find another one that we are not interested in studying. This is done by displaying the context menu, and using ‘Hide key> For this session only‘
In this way, it will disappear from the hive that we have loaded
That we can return to show by means of the top menu, through ‘Options> Show hidden keys‘, and that we will be able to differentiate of the rest, since it will present a small mark of red color
We can also, for example, go to the marker ‘RecentDocs‘ to see MRU key, (Most Recently Used), and to see the list of programs or documents that were last accessed
And that will take us to the key with the same name, ‘RecentDocs‘, where we can see the name of the files, by extensions, which have been accessed and a key with the name ‘Folder‘, which will indicate the folders explored, with the date of last opening and a counter.
There are no bookmarks for all registry keys. This is why I emphasize that it’s important to ‘shop around’ for these keys. Because, for example, we can find, in the key ‘Acrobat Reader‘, if it is installed
With the documents in PDF format that the user has accessed, with the file name, the path and the time stamps.
This tool also has the option to export the values of a key that we have examined, in several types of format. This is done through the context menu, using ‘Export> Values> To …‘
It is also interesting to load the hive ‘SAM, (Security Accounts Manager)
That It is a database that stores user accounts and security descriptors for users on the computer, and which can show us relevant data, such as creation dates, last login, invalid login, membership groups, …
This tool will also allow us to hide columns, for a better visualization of the data
We can load several hives at once
Also, with each action we take, a message box will be displayed, at the bottom right
That we can visualize, with its level of criticality, the affected file and its details
And that will allow us to export to an excel file, to be able to study it later
And clean the current messages to pay attention the ones who will they be occur.
If we have loaded several hives we can see the total of available bookmarks in the ‘Available bookmarks‘ tab. And if we select one, it will show us in the top menu ‘Bookmarks‘ those available for that hive
So, for example, as in this case we have seen the execution of USBOblivion, (a tool that I do not know at all), we can begin to extract the information of USB devices connected to the System, theoretically eliminated, using available markers, starting with hive ‘SOFTWARE’.
And by the bookmark ‘Windows Portable Devices‘
To display us information about a portable drive, which may also contain the drive letter
We can use the bookmark ‘Run‘
To know which applications run automatically with each system startup.
We can use the ‘Products‘ bookmark
To list the MSI packages (Windows Installer Package), which are installed on the System, with its version, its name, its installation date, its source resource, and so on
Now, if we select the hive ‘SYSTEM’, already loaded, we can go to the bookmark ‘Additional removable storage info‘
Because the last write time can correlate the first insertion of the device
We can use the ‘Disk info‘ bookmark
So that it shows us the information of all disks connected to the System.
We can tell, with the ‘ComputerName‘ bookmark
So that it shows us the System name.
We can use the ‘Environment‘ bookmark
So that it shows us information of the Operating System, which includes information of the architecture of the processor.
Indicate with the ‘MountDevices‘ bookmark
So that it give us a list of hardware devices connected to the System.
We can use the ‘USB‘ bookmark
So that it show us the information of the USB devices that have been connected to the System
At this point, we can, through the context menu and if we use the option ‘Technical details‘
It will show us all the technical information It have about a USB drive, which is presented in several tabs.
Or we can use the typical ‘USBSTOR’ key, with the bookmark of the same name.
So that It display us a list of USB device properties that have been connected to a computer
If we know the name of the key that we want it to show us, we just have to start typing its name because this tool allows the direct search of keys, which will mark in yellow the match of each letter.
Another very interesting option that presents this tool is that it has a very powerful search engine, able to search in several hives at the same time. It is accessed through ‘Tools> Find‘
That will present us in another window in which we can indicate the word or words, or expressions, that we want to find, with several interesting options, all with tips that will clarify its functionality
Once the search is finished we will be presented with all the results that match our search patterns. If we select one, it will take us directly to the selected key, so we can see all its contents.
It also allows us to sort the columns, for example, in ascending or descending order, either through the columns themselves
Or through the context menu of the mouse
It also allows us to search by date of last writing in the hive
If we use these options, we will be applying a search filter that will be shown in the bottom left of the window and that we can easily edit, choosing the ‘Edit Filter’ option, located in the bottom right of the window
As we did above, it allows us to export all search results to an excel table, with the option ‘Export results‘, so that we can study it calmly, or have it as a reference for a more exhaustive analysis
This tool has many more virtues. I invite you to try it and discover it but, remember, feel comfortable 😉
That is all, for now. See you at the next entry. This Minion, delivered and loyal to you, says goodbye… for now.