Difference between pages "Upcoming events" and "Windows Registry"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
==File Locations==
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
The Windows Registry is stored in multiple files.
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
===Windows NT 4 ===
 +
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
  
This listing is divided into three sections (described as follows):<br>
+
Basically the following Registry hives are stored in the corresponding files:
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
 +
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
 +
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
 +
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
  
== Calls For Papers ==
+
===Windows 98/ME===
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
* \Windows\user.dat
 +
* \Windows\system.dat
 +
* \Windows\profiles\user profile\user.dat
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
== Keys ==
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|5th International Workshop on Managing Insider Security Threats
+
|Jul 31, 2013
+
|Aug 31, 2013
+
|http://isyou.info/conf/mist13/cfp4mist13.txt
+
|-
+
|AAFS 66th Annual Scientific Meeting
+
|Aug 01, 2013
+
|Nov, 2013
+
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
+
|-
+
|21st Network & Distributed System Security Symposium
+
|Aug 05, 2013
+
|Nov 01, 2013
+
|http://www.internetsociety.org/events/ndss-symposium-2014/ndss-2014-call-papers
+
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Sep 02, 2013 (abstract)
+
|Sep 09, 2013 (abstract)<br>Dec 30, 2013 (final paper)
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-call-papers.htm
+
|-
+
|IFIP WG 11.9 International Conference on Digital Forensics
+
|Sep 15, 2013
+
|Oct 15, 2013
+
|http://www.ifip119.org/Conferences/WG11-9-CFP-2014.pdf
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
=== Run/RunOnce ===
 +
System-wide:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 +
</pre>
  
== Conferences ==
+
Per user:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
! width="40%"|Title
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
! width="20%"|Date/Location
+
</pre>
! width="40%"|Website
+
 
|-
+
== Special cases ==
|Symposium On Usable Privacy and Security (SOUPS)
+
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
|Jul 24-26<br>Newcastle, United Kingdom
+
* special characters key and value names
|http://cups.cs.cmu.edu/soups/2013/
+
* duplicate key and value names
|-
+
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
|BlackHat USA
+
 
|Jul 27-Aug 01<br>Las Vegas, NV
+
=== special characters key and value names ===
|https://www.blackhat.com/us-13/
+
Both key and values names are case insensitive. The \ character is used as the key separator. Note
|-
+
that the \ character can be used in value names. The / character is used in both key and value names.
|DFRWS 2013
+
Some examples of which are:
|Aug 04-07<br>Monterey, CA
+
<pre>
|http://dfrws.org/2013
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
|-
+
Value: Size/Small/Medium/Large
|Regional Computer Forensics Group GMU 2013
+
</pre>
|Aug 05-09<br>Fairfax, VA
+
 
|http://www.rcfg.org
+
<pre>
|-
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
|6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '13)
+
Value: \Device\Video0
|Aug 12<br>Washington, DC
+
</pre>
|https://www.usenix.org/conferences?page=1
+
 
|-
+
<pre>
|8th USENIX Workshop on Hot Topics in Security (HotSec '13)
+
Key:
|Aug 13<br>Washington, DC
+
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
|https://www.usenix.org/conferences?page=1
+
Value: SchemaFile
|-
+
</pre>
|22nd USENIX Security Symposium - USENIX Security '13
+
 
|Aug 14-16<br>Washington, DC
+
=== codepaged ASCII strings ===
|https://www.usenix.org/conference/usenixsecurity13
+
 
|-
+
Value with name "ëigenaardig" created on Windows XP codepage 1252.
|6th International Workshop on Digital Forensics (WSDF 2013)
+
 
|Sep 02-06<br>Regensburg, Germany
+
<pre>
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
+
value key data:
|-
+
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00  vk..F...  .......
|2013 HTCIA International Conference & Training Expo
+
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00  ..in.ige naardig.
|Sep 08-11<br>Summerlin, NV
+
00000020: 55 4e 49 43                                        UNIC
|http://www.htciaconference.org/
+
 
|-
+
value key signature                    : vk
|New Security Paradigms Workshop (NSPW)
+
value key value name size              : 11
|Sep 09-12<br>The Banff Center, Canada
+
value key data size                    : 0x00000046 (70)
|http://www.nspw.org/current/
+
value key data offset                  : 0x001a9820
|-
+
value key data type                    : 1 (REG_SZ) String
|Black Hat-Regional Summit
+
value key flags                        : 0x0001
|Sep 10-12<br>Istanbul, Turkey
+
        Value name is an ASCII string
|https://www.blackhat.com/is-13/
+
 
|-
+
value key unknown1                      : 0x6e69 (28265)
|French-Speaking Days on Digital Investigations-Journées Francophones de l'Investigation Numérique (AFSIN)
+
value key value name                    : ëigenaardig
|Sep 10-12<br>Neuchâtel, Switzerland
+
value key value name hash              : 0xb78835ee
|https://www.afsin.org/
+
value key padding:
|-
+
00000000: 00 55 4e 49 43                                    .UNIC
|5th International Conference on Digital Forensics & Cyber Crime
+
</pre>
|Sep 25-27<br>Moscow, Russia
+
 
|http://d-forensics.org/2013/show/home
+
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
|-
+
 
|VB2013 - the 23rd Virus Bulletin International Conference
+
==Tools==
|Oct 02-04<br>Berlin, Germany
+
===Open Source===
|http://www.virusbtn.com/conference/vb2013/index
+
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]]
|-
+
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
|8th International Conference on Malicious and Unwanted Software
+
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
|Oct 22-24<br>Fajardo, Puerto Rico, USA
+
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
|http://www.malwareconference.org/index.php?option=com_frontpage&Itemid=1
+
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
|-
+
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
|16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
+
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
|Oct 23-25<br>St. Lucia
+
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]]
|http://www.raid2013.org/
+
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]]
|-
+
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
|5th International Workshop on Managing Insider Security Threats
+
* [[Registryasxml]] - Tool to import/export registry sections as XML
|Oct 24-25<br>Busan, South Korea
+
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
|http://isyou.info/conf/mist13/index.htm
+
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
|-
+
 
|4th Annual Open Source Digital Forensics Conference (OSDF)
+
===Freeware===
|Nov 04-05<br>Chantilly, VA
+
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
|http://www.basistech.com/about-us/events/open-source-forensics-conference/
+
 
|-
+
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
|Paraben Forensic Innovations Conference
+
 
|Nov 13-15<br>Salt Lake City, UT
+
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
|http://www.pfic-conference.com/
+
 
|-
+
===Commercial===
|8th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE)
+
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
|Nov 21-22<br>Hong Kong, China
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
|http://conf.ncku.edu.tw/sadfe/sadfe13/
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
|-
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
|Black Hat-Regional Summit
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
|Nov 26-27<br>Sao Paulo, Brazil
+
* [http://arsenalrecon.com/apps Registry Recon]
|https://www.blackhat.com/sp-13
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
|-
+
* [http://mitec.cz/wrr.html Windows Registry Recovery]
|29th Annual Computer Security Applications Conference (ACSAC)
+
* [http://registrytool.com/ Registry Tool]
|Dec 09-13<br>New Orleans, LA
+
 
|http://www.acsac.org
+
==Bibliography==
|-
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
|IFIP WG 11.9 International Conference on Digital Forensics
+
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]], June 9, 2009
|Jan 08-10<br>Vienna, Austria
+
* [http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ The Internal Structure of the Windows Registry], by Peter Norris, February 2009
|http://www.ifip119.org/Conferences/
+
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
|-
+
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
|AAFS 66th Annual Scientific Meeting
+
* [http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf Forensic analysis of unallocated space in Windows Registry Hive files], by Jolanta Thomassen, March 11, 2008
|Feb 17-22<br>Seattle, WA
+
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
+
 
|-
+
=== Undated ===
|21st Network & Distributed System Security Symposium
+
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], by Derrick Farmer, Burlington, VT.
|Feb 23-26<br>San Diego, CA
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
|http://www.internetsociety.org/events/ndss-symposium-2014/
+
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Mar 24-25<br>West Lafayette, IN
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
+
|-
+
|2014 IEEE Symposium on Security and Privacy
+
|May 16-23<br>Berkley, CA
+
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
+
|-
+
|Techno-Security and Forensics Conference
+
|Jun 01-04<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/Security%20Conference%202014.html
+
|-
+
|Mobile Forensics World
+
|Jun 01-04<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/MFC-2014-Spring.html
+
|-
+
|}
+
  
 
==See Also==
 
==See Also==
* [[Training Courses and Providers]]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
==References==
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 +
* [http://www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf A Windows Registry Quick Reference: For the Everyday Examiner], by Derrick J. Farmer
 +
 
 +
=== Windows 32-bit on Windows 64-bit (WoW64) ===
 +
* [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
 +
 
 +
[[Category:Windows Analysis]]
 +
[[Category:Bibliographies]]

Revision as of 00:40, 20 July 2013

Contents

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Keys

Run/RunOnce

System-wide:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Per user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Tools

Open Source

Freeware

  • cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.

Commercial

Bibliography

Undated

See Also

Windows 32-bit on Windows 64-bit (WoW64)