|
|
| Line 1: |
Line 1: |
| − | ==File Locations== | + | = FreeBSD = |
| − | The Windows Registry is stored in multiple files.
| + | |
| | | | |
| − | ===Windows NT 4 ===
| + | To mount a disk image on [[FreeBSD]]: |
| − | In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
| + | |
| | | | |
| − | Basically the following Registry hives are stored in the corresponding files:
| + | First attach the image to unit #1: |
| − | * HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
| + | # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1 |
| − | * HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
| + | |
| − | * HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
| + | |
| − | * HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
| + | |
| − | * HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
| + | |
| − | * HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
| + | |
| | | | |
| − | ===Windows 98/ME===
| + | Then mount: |
| − | * \Windows\user.dat
| + | # mount -t msdos /dev/md1s1 /mnt |
| − | * \Windows\system.dat
| + | |
| − | * \Windows\profiles\user profile\user.dat
| + | |
| | | | |
| − | == Keys ==
| + | # ls /mnt |
| | + | BOOTLOG.PRV BOOTLOG.TXT COMMAND.COM IO.SYS MSDOS.SYS |
| | | | |
| − | === Run/RunOnce ===
| + | To unmount: |
| − | System-wide:
| + | |
| − | <pre>
| + | |
| − | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| + | |
| − | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
| + | |
| − | </pre>
| + | |
| | | | |
| − | Per user:
| + | # umount /mnt |
| − | <pre>
| + | # mdconfig -d -u 1 |
| − | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| + | |
| − | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
| + | |
| − | </pre>
| + | |
| | | | |
| − | == Special cases ==
| + | To mount the image read-only, use: |
| − | The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:
| + | |
| − | * special characters key and value names
| + | |
| − | * duplicate key and value names
| + | |
| − | * the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
| + | |
| | | | |
| − | === special characters key and value names ===
| + | # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1 |
| − | Both key and values names are case insensitive. The \ character is used as the key separator. Note
| + | # mount -o ro -t msdos /dev/md1s1 /mnt |
| − | that the \ character can be used in value names. The / character is used in both key and value names.
| + | |
| − | Some examples of which are:
| + | |
| − | <pre>
| + | |
| − | Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
| + | |
| − | Value: Size/Small/Medium/Large
| + | |
| − | </pre>
| + | |
| | | | |
| − | <pre>
| + | = Linux = |
| − | Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
| + | |
| − | Value: \Device\Video0
| + | |
| − | </pre>
| + | |
| | | | |
| − | <pre>
| + | ==To mount a disk image on [[Linux]]== |
| − | Key:
| + | |
| − | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
| + | |
| − | Value: SchemaFile
| + | |
| − | </pre>
| + | |
| | | | |
| − | === codepaged ASCII strings === | + | # mount -t vfat -o loop=/dev/loop0 img.dd /mnt |
| | + | -or- |
| | + | # mount -t vfat -o loop=/dev/loop/0 img.dd /mnt |
| | | | |
| − | Value with name "ëigenaardig" created on Windows XP codepage 1252.
| |
| | | | |
| − | <pre>
| + | ==To unmount== |
| − | value key data:
| + | |
| − | 00000000: 76 6b 0b 00 46 00 00 00 20 98 1a 00 01 00 00 00 vk..F... .......
| + | |
| − | 00000010: 01 00 69 6e eb 69 67 65 6e 61 61 72 64 69 67 00 ..in.ige naardig.
| + | |
| − | 00000020: 55 4e 49 43 UNIC
| + | |
| | | | |
| − | value key signature : vk
| + | # umount /mnt |
| − | value key value name size : 11
| + | |
| − | value key data size : 0x00000046 (70)
| + | |
| − | value key data offset : 0x001a9820
| + | |
| − | value key data type : 1 (REG_SZ) String
| + | |
| − | value key flags : 0x0001
| + | |
| − | Value name is an ASCII string
| + | |
| | | | |
| − | value key unknown1 : 0x6e69 (28265)
| + | To mount the image read-only, use: |
| − | value key value name : ëigenaardig
| + | |
| − | value key value name hash : 0xb78835ee
| + | |
| − | value key padding:
| + | |
| − | 00000000: 00 55 4e 49 43 .UNIC
| + | |
| − | </pre>
| + | |
| | | | |
| − | As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
| + | # mount -t vfat -o ro,loop=/dev/loop0 img.dd /mnt |
| − | | + | |
| − | ==Tools==
| + | |
| − | ===Open Source===
| + | |
| − | * [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]]
| + | |
| − | * [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
| + | |
| − | * [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
| + | |
| − | * [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
| + | |
| − | * [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
| + | |
| − | * [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
| + | |
| − | * [http://www.williballenthin.com/registry/index.html python-registry] Python module.
| + | |
| − | * [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]]
| + | |
| − | * [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]]
| + | |
| − | * [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
| + | |
| − | * [[Registryasxml]] - Tool to import/export registry sections as XML
| + | |
| − | | + | |
| − | ===Freeware===
| + | |
| − | * [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
| + | |
| − | | + | |
| − | * [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
| + | |
| − | | + | |
| − | * [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
| + | |
| − | | + | |
| − | ===Commercial===
| + | |
| − | * [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
| + | |
| − | * [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
| + | |
| − | * [http://lastbit.com/arv/ Alien Registry Viewer]
| + | |
| − | * [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
| + | |
| − | * [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
| + | |
| − | * [http://paullee.ru/regundel Registry Undelete (russian)]
| + | |
| − | * [http://mitec.cz/wrr.html Windows Registry Recovery]
| + | |
| − | * [http://registrytool.com/ Registry Tool]
| + | |
| − | | + | |
| − | ==Bibliography==
| + | |
| − | * [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
| + | |
| − | * Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
| + | |
| − | * [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
| + | |
| − | | + | |
| − | * [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
| + | |
| − | * [http://www.pkdavies.co.uk/downloads/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
| + | |
| − | * [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
| + | |
| − | | + | |
| − | * [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
| + | |
| − | | + | |
| − | * [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
| + | |
| − | | + | |
| − | * [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
| + | |
| − | | + | |
| − | ==See Also==
| + | |
| − | * [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
| + | |
| − | * [http://www.answers.com/topic/win-registry Windows Registry Information]
| + | |
| − | * [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
| + | |
| − | [[Category:Bibliographies]]
| + | |
| − | * [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
| + | |
| − | * [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
| + | |
| − | * [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
| + | |
| − | * [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
| + | |
| − | * [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
| + | |
| − | | + | |
| − | * http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
| + | |
| − | | + | |
| − | [[Category:Windows Analysis]]
| + | |
