Difference between pages "Windows Registry" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
(Exploit Kit)
 
Line 1: Line 1:
==File Locations==
+
'''Malware''' is a short version of '''Malicious Software'''.
The Windows Registry is stored in multiple files.
+
  
===Windows NT 4 ===
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
+
  
Basically the following Registry hives are stored in the corresponding files:
+
== Virus ==
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
+
A computer program that can automatically copy itself and infect a computer.
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
+
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
+
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
+
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
+
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
+
  
===Windows 98/ME===
+
== Worm ==
* \Windows\user.dat
+
A self-replicating computer program that can automatically infect computers on a network.
* \Windows\system.dat
+
* \Windows\profiles\user profile\user.dat
+
  
== Keys ==
+
== Trojan horse ==
 +
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
  
=== Run/RunOnce ===
+
== Spyware ==
System-wide:
+
A computer program that can automatically intercept or take partial control over the user's interaction.
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+
</pre>
+
  
Per user:
+
== Exploit Kit ==
<pre>
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+
</pre>
+
  
== Special cases ==
+
=== Drive-by-download ===
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
* special characters key and value names
+
* duplicate key and value names
+
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
+
  
=== special characters key and value names ===
+
== See Also ==
Both key and values names are case insensitive. The \ character is used as the key separator. Note
+
that the \ character can be used in value names. The / character is used in both key and value names.
+
Some examples of which are:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
+
Value: Size/Small/Medium/Large
+
</pre>
+
  
<pre>
+
== External Links ==
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
+
* [http://en.wikipedia.org/wiki/Malware Wikipedia entry on malware]
Value: \Device\Video0
+
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia drive-by-download]
</pre>
+
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
<pre>
+
=== Exploit Kit ===
Key:
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
Value: SchemaFile
+
</pre>
+
  
=== codepaged ASCII strings ===
+
[[Category:Malware]]
 
+
Value with name "ëigenaardig" created on Windows XP codepage 1252.
+
 
+
<pre>
+
value key data:
+
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00  vk..F...  .......
+
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00  ..in.ige naardig.
+
00000020: 55 4e 49 43                                        UNIC
+
 
+
value key signature                    : vk
+
value key value name size              : 11
+
value key data size                    : 0x00000046 (70)
+
value key data offset                  : 0x001a9820
+
value key data type                    : 1 (REG_SZ) String
+
value key flags                        : 0x0001
+
        Value name is an ASCII string
+
 
+
value key unknown1                      : 0x6e69 (28265)
+
value key value name                    : ëigenaardig
+
value key value name hash              : 0xb78835ee
+
value key padding:
+
00000000: 00 55 4e 49 43                                    .UNIC
+
</pre>
+
 
+
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
+
 
+
==Tools==
+
===Open Source===
+
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]]
+
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
+
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
+
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
+
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
+
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
+
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
+
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]]
+
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]]
+
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
+
* [[Registryasxml]] - Tool to import/export registry sections as XML
+
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
+
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
+
 
+
===Freeware===
+
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
+
 
+
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
+
 
+
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
+
 
+
===Commercial===
+
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
+
* [http://arsenalrecon.com/apps Registry Recon]
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
+
* [http://mitec.cz/wrr.html Windows Registry Recovery]
+
* [http://registrytool.com/ Registry Tool]
+
 
+
==Bibliography==
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
+
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]], June 9, 2009
+
* [http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ The Internal Structure of the Windows Registry], by Peter Norris, February 2009
+
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
+
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
+
* [http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf Forensic analysis of unallocated space in Windows Registry Hive files], by Jolanta Thomassen, March 11, 2008
+
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
+
 
+
=== Undated ===
+
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick Reference: For the Everyday Examiner], by Derrick Farmer, Burlington, VT.
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
+
 
+
==See Also==
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
+
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
+
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
+
* [http://windowsxp.mvps.org/RegistryMRU.htm Registry MRU Locations]
+
 
+
=== Windows 32-bit on Windows 64-bit (WoW64) ===
+
* [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
+
 
+
=== User Assist ===
+
* [http://windowsir.blogspot.ch/2007/09/more-on-userassist-keys.html More on (the) UserAssist keys], by [Harlan Carvey], Monday, September 03, 2007
+
* [http://forensicsfromthesausagefactory.blogspot.ch/2010/05/prefetch-and-user-assist.html Prefetch and User Assist], by DC174, Thursday, 27 May 2010
+
* [http://forensicartifacts.com/2010/07/userassist/ Forensic Artifact: UserAssist]
+
* [http://sploited.blogspot.ch/2012/12/sans-forensic-artifact-6-userassist.html SANS Forensic Artifact 6: UserAssist], by Sploited, Thursday, 27 December 2012
+
* [http://www.4n6k.com/2013/05/userassist-forensics-timelines.html UserAssist Forensics (timelines, interpretation, testing, & more)], by Dan (@4n6k), Tuesday, May 14, 2013
+
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-45-understanding-artifacts.html Daily Blog #45: Understanding the artifacts: User Assist], by [David Cowen], Wednesday, August 7, 2013
+
 
+
[[Category:Windows Analysis]]
+
[[Category:Bibliographies]]
+

Revision as of 02:05, 21 October 2013

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

See Also

External Links

Exploit Kit