Difference between pages "Mac OS X" and "Windows Registry"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(Bibliography)
 
Line 1: Line 1:
{{Expand}}
+
==File Locations==
 +
The Windows Registry is stored in multiple files.
  
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
+
===Windows NT 4 ===
 +
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
  
== Quarantine event database ==
+
Basically the following Registry hives are stored in the corresponding files:
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
+
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 +
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
 +
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
 +
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
 +
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
 +
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
  
Snow Leopard and earlier
+
===Windows 98/ME===
 +
* \Windows\user.dat
 +
* \Windows\system.dat
 +
* \Windows\profiles\user profile\user.dat
 +
 
 +
== Keys ==
 +
 
 +
=== Run/RunOnce ===
 +
System-wide:
 
<pre>
 
<pre>
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
</pre>
  
 +
Per user:
 
<pre>
 
<pre>
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
</pre>
  
Lion and later
+
== Special cases ==
 +
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
 +
* special characters key and value names
 +
* duplicate key and value names
 +
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
 +
 
 +
=== special characters key and value names ===
 +
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 +
that the \ character can be used in value names. The / character is used in both key and value names.
 +
Some examples of which are:
 
<pre>
 
<pre>
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
 +
Value: Size/Small/Medium/Large
 
</pre>
 
</pre>
  
== Package Files (.PKG) ==
+
<pre>
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
 +
Value: \Device\Video0
 +
</pre>
 +
 
 +
<pre>
 +
Key:
 +
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
 +
Value: SchemaFile
 +
</pre>
 +
 
 +
=== codepaged ASCII strings ===
 +
 
 +
Value with name "ëigenaardig" created on Windows XP codepage 1252.
 +
 
 +
<pre>
 +
value key data:
 +
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00  vk..F...  .......
 +
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00  ..in.ige naardig.
 +
00000020: 55 4e 49 43                                        UNIC
 +
 
 +
value key signature                    : vk
 +
value key value name size              : 11
 +
value key data size                    : 0x00000046 (70)
 +
value key data offset                  : 0x001a9820
 +
value key data type                    : 1 (REG_SZ) String
 +
value key flags                        : 0x0001
 +
        Value name is an ASCII string
 +
 
 +
value key unknown1                      : 0x6e69 (28265)
 +
value key value name                    : ëigenaardig
 +
value key value name hash              : 0xb78835ee
 +
value key padding:
 +
00000000: 00 55 4e 49 43                                    .UNIC
 +
</pre>
 +
 
 +
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
 +
 
 +
==Tools==
 +
===Open Source===
 +
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]]
 +
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
 +
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
 +
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
 +
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
 +
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
 +
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
 +
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]]
 +
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]]
 +
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
 +
* [[Registryasxml]] - Tool to import/export registry sections as XML
 +
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 +
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
 +
 
 +
===Freeware===
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
 +
 
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
 +
 
 +
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
 +
 
 +
===Commercial===
 +
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
 +
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
 +
* [http://lastbit.com/arv/ Alien Registry Viewer]
 +
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
 +
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
 +
* [http://arsenalrecon.com/apps Registry Recon]
 +
* [http://paullee.ru/regundel Registry Undelete (russian)]
 +
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 +
* [http://registrytool.com/ Registry Tool]
 +
 
 +
==Bibliography==
 +
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 +
* [http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ The Internal Structure of the Windows Registry], by Peter Norris, February 2009
 +
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
 +
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
 +
* [http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf Forensic analysis of unallocated space in Windows Registry Hive files], by Jolanta Thomassen, March 11, 2008
 +
 
 +
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], by Derrick Farmer, Burlington, VT.
 +
 
 +
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
  
== Also see ==
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
* [[MacOS Process Monitoring]]
+
* [[Acquiring a MacOS System with Target Disk Mode]]
+
  
== External Links ==
+
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
  
* [http://www.apple.com/macosx/ Official website]
+
==See Also==
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
 +
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 +
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
  
=== Apple Examiner ===
+
=== Windows 32-bit on Windows 64-bit (WoW64) ===
* [http://www.appleexaminer.com/ The Apple Examiner]
+
* [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
+
* [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
+
  
[[Category:Mac OS X]]
+
[[Category:Windows Analysis]]
[[Category:Operating systems]]
+
[[Category:Bibliographies]]

Revision as of 01:25, 11 May 2013

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Keys

Run/RunOnce

System-wide:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Per user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Tools

Open Source

Freeware

  • cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.

Commercial

Bibliography

See Also

Windows 32-bit on Windows 64-bit (WoW64)