Difference between pages "Windows Registry" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Bibliography)
 
 
Line 1: Line 1:
==File Locations==
+
{{expand}}
The Windows Registry is stored in multiple files.
+
  
===Windows NT 4 ===
+
== Cache files ==
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
+
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
Basically the following Registry hives are stored in the corresponding files:
+
== Cache address ==
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
+
The cache address is 4 bytes in size and consists of:
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
+
{| class="wikitable"
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
+
|-
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
+
! offset
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
+
! size
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
+
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
===Windows 98/ME===
+
=== File types ===
* \Windows\user.dat
+
{| class="wikitable"
* \Windows\system.dat
+
|-
* \Windows\profiles\user profile\user.dat
+
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
== Keys ==
+
==== Examples ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
=== Run/RunOnce ===
+
== Index file format (index) ==
System-wide:
+
Overview:
<pre>
+
* File header
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
* least recently used (LRU) data (or eviction control data)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+
* index table
</pre>
+
  
Per user:
+
=== File header ===
<pre>
+
*TODO*
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+
</pre>
+
  
== Special cases ==
+
== Data block file format (data_#) ==
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
+
Overview:
* special characters key and value names
+
* File header
* duplicate key and value names
+
* array of blocks
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
+
  
=== special characters key and value names ===
+
=== File header ===
Both key and values names are case insensitive. The \ character is used as the key separator. Note
+
*TODO*
that the \ character can be used in value names. The / character is used in both key and value names.
+
Some examples of which are:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
+
Value: Size/Small/Medium/Large
+
</pre>
+
  
<pre>
+
== Data stream ==
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
+
See: [[gzip]]
Value: \Device\Video0
+
</pre>
+
  
<pre>
+
== See Also ==
Key:
+
* [[Google Chrome]]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
+
* [[gzip]]
Value: SchemaFile
+
</pre>
+
  
=== codepaged ASCII strings ===
+
== External Links ==
 +
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Disk Cache], The Chromium Projects
  
Value with name "ëigenaardig" created on Windows XP codepage 1252.
+
[[Category:File Formats]]
 
+
<pre>
+
value key data:
+
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00  vk..F...  .......
+
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00  ..in.ige naardig.
+
00000020: 55 4e 49 43                                        UNIC
+
 
+
value key signature                    : vk
+
value key value name size              : 11
+
value key data size                    : 0x00000046 (70)
+
value key data offset                  : 0x001a9820
+
value key data type                    : 1 (REG_SZ) String
+
value key flags                        : 0x0001
+
        Value name is an ASCII string
+
 
+
value key unknown1                      : 0x6e69 (28265)
+
value key value name                    : ëigenaardig
+
value key value name hash              : 0xb78835ee
+
value key padding:
+
00000000: 00 55 4e 49 43                                    .UNIC
+
</pre>
+
 
+
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
+
 
+
==Tools==
+
===Open Source===
+
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]]
+
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
+
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
+
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
+
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
+
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
+
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
+
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]]
+
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]]
+
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
+
* [[Registryasxml]] - Tool to import/export registry sections as XML
+
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
+
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
+
 
+
===Freeware===
+
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
+
 
+
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
+
 
+
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
+
 
+
===Commercial===
+
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
+
* [http://arsenalrecon.com/apps Registry Recon]
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
+
* [http://mitec.cz/wrr.html Windows Registry Recovery]
+
* [http://registrytool.com/ Registry Tool]
+
 
+
==Bibliography==
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
+
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]], June 9, 2009
+
* [http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ The Internal Structure of the Windows Registry], by Peter Norris, February 2009
+
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
+
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
+
* [http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf Forensic analysis of unallocated space in Windows Registry Hive files], by Jolanta Thomassen, March 11, 2008
+
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
+
 
+
=== Undated ===
+
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], by Derrick Farmer, Burlington, VT.
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
+
 
+
==See Also==
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
+
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
+
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
+
 
+
=== Windows 32-bit on Windows 64-bit (WoW64) ===
+
* [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
+
 
+
[[Category:Windows Analysis]]
+
[[Category:Bibliographies]]
+

Revision as of 03:43, 22 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links