Difference between pages "Tools:Visualization" and "Windows Registry"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Commercial Tools)
 
(Special cases)
 
Line 1: Line 1:
Although not strictly for forensic purposes, '''visualization tools''' such as the ones discussed here can be very useful for visualizing large data sets. As forensic practitioners need to process more and more data, it is likely that some of the techniques implemented by these tools will need to be adopted.
+
==File Locations==
 +
The Windows Registry is stored in multiple files.
  
=Open Source Visualization Toolkits=
+
===Windows NT 4 ===
 +
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
  
; [http://public.kitware.com/VTK/ The Visualization Toolkit]
+
Basically the following Registry hives are stored in the corresponding files:
: C++ multi-platform with interfaces available for Tcl/Tk, Java and Python. Professional support provided by [http://www.kitware.com/ Kitware].
+
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 +
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
 +
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
 +
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
 +
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
 +
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
  
; [http://www.graphviz.org/ Graphviz]
+
===Windows 98/ME===
: Originally developed by the [http://public.research.att.com/areas/visualization/ AT&T Information Visualization Gorup], designed for drawing connected graphs of nodes and edges. Neato is a similar system but does layout based on a spring model. Can produce output as [[PostScript]], [[PNG]], [[GIF]], or as an annotated graph file with the locations of all of the objects---ideal for drawing in a GUI. Runs from the command line on [[Unix]], [[Windows]] and [[Mac]], although there is also a [http://www.pixelglow.com/graphviz/ MacOS GUI version].
+
* \Windows\user.dat
 +
* \Windows\system.dat
 +
* \Windows\profiles\user profile\user.dat
  
; [http://www.opendx.org/ OpenDX]
+
== Keys ==
: Based on IBM's Visualization Data Explorer, runs on [[Unix]]/X11/Motif.
+
  
; [http://www.ssec.wisc.edu/~billh/visad.html#intro VisAD]
+
=== Run/RunOnce ===
: A Java component library for interactive and collaborative visualization.
+
System-wide:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 +
</pre>
  
==Graph Drawing Tools==
+
Per user:
 +
<pre>
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 +
</pre>
  
; [http://www.informatik.uni-bremen.de/uDrawGraph/en/uDrawGraph/uDrawGraph.html uDrawGraph]
+
== Special cases ==
 +
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
 +
* special characters key and value names
 +
* duplicate key and value names
 +
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
  
=Commercial Tools=
+
=== special characters key and value names ===
 +
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 +
that the \ character can be used in value names. The / character is used in both key and value names.
 +
Some examples of which are:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
 +
Value: Size/Small/Medium/Large
 +
</pre>
  
; [http://www.aisee.com/ aiSee Graph Layout Software]
+
<pre>
: Supports 15 layout algorithms, recursive graph nesting, and easy printing. Runs on [[Windows]], [[Linux]], [[Solaris]], [[NetBSD]], and [[MacOS]]. 30-day trial and free registered versions available. Academic pricing available.
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
 +
Value: \Device\Video0
 +
</pre>
  
; [http://www.tomsawyer.com/ Tom Sawyer Software] Analysis, Visualizaiton, and Layout programs.
+
<pre>
: Heavy support for drawing graphs. Beautiful gallery. ActiveX, Java, C++ and .NET editions.
+
Key:
 +
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
 +
Value: SchemaFile
 +
</pre>
  
; [http://www.geomantics.com/ Geomantics]
+
=== codepaged ASCII strings ===
: Geographical, Visualization and Graphics software. Runs on [[Windows]].
+
  
; [http://www.kylebank.com/ Graphis 2D and 3D graphing software]
+
Value with name "ëigenaardig" created on Windows XP codepage 1252.
: Runs on [[Windows]]. Free 30-day evaluation copy available.
+
  
;[http://www.openviz.com/ OpenViz] and [http://www.powerviz.com/ PowerViz]
+
<pre>
: Both from Advanced Visual Systems, super high-end visualization toolkits. $$$$
+
value key data:
 +
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00  vk..F...  .......
 +
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00  ..in.ige naardig.
 +
00000020: 55 4e 49 43                                        UNIC
  
=Other Resources=
+
value key signature                    : vk
 +
value key value name size              : 11
 +
value key data size                    : 0x00000046 (70)
 +
value key data offset                  : 0x001a9820
 +
value key data type                    : 1 (REG_SZ) String
 +
value key flags                        : 0x0001
 +
        Value name is an ASCII string
  
; [http://www.palgrave-journals.com/ivs/index.html Information Visualization Journal]
+
value key unknown1                      : 0x6e69 (28265)
 +
value key value name                    : ëigenaardig
 +
value key value name hash              : 0xb78835ee
 +
value key padding:
 +
00000000: 00 55 4e 49 43                                    .UNIC
 +
</pre>
  
; [http://www.msi.umn.edu/user_support/scivis/scivis-list.html Scientific Visualization at the Supercomputing Institute]
+
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
  
; [http://directory.google.com/Top/Science/Math/Combinatorics/Software/Graph_Drawing/ Google Directory of Graph Drawing Software]
+
==Tools==
 +
===Open Source===
 +
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]]
 +
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
 +
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
 +
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
 +
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
 +
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
 +
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
 +
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]]
 +
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]]
 +
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
 +
* [[Registryasxml]] - Tool to import/export registry sections as XML
  
; [http://rw4.cs.uni-sb.de/~diehl/softvis/seminar/index.php?goto=seminar ACM Symposium on Software Visualization]
+
===Freeware===
: May give you some ideas.
+
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
  
; [http://directory.fsf.org/science/visual/ GNU Free Software directory of scientific visualization software]
+
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
 +
 
 +
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
 +
 
 +
===Commercial===
 +
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
 +
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
 +
* [http://lastbit.com/arv/ Alien Registry Viewer]
 +
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
 +
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
 +
* [http://paullee.ru/regundel Registry Undelete (russian)]
 +
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 +
* [http://registrytool.com/ Registry Tool]
 +
 
 +
==Bibliography==
 +
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 +
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
 +
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
 +
 
 +
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
 +
* [http://www.pkdavies.co.uk/downloads/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
 +
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
 +
 
 +
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 +
 
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 +
 
 +
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
 +
 
 +
==See Also==
 +
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
 +
* [http://www.answers.com/topic/win-registry Windows Registry Information]
 +
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
 +
[[Category:Bibliographies]]
 +
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 +
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
 +
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 +
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
 +
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 +
 
 +
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
 +
 
 +
[[Category:Windows Analysis]]

Revision as of 01:39, 20 August 2012

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Keys

Run/RunOnce

System-wide:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Per user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Tools

Open Source

Freeware

  • cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.

Commercial

Bibliography

See Also