Difference between pages "Windows Registry" and "Proxy server"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Open Source)
 
m
 
Line 1: Line 1:
==File Locations==
+
'''Proxy server''' is a server which services the requests of its clients by forwarding requests to other servers.
The Windows Registry is stored in multiple files.
+
  
===Windows NT 4 ===
+
== Overview ==
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
+
  
Basically the following Registry hives are stored in the corresponding files:
+
Proxy servers are widely used by organizations and individuals for different purposes:
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
+
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
+
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
+
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
+
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
+
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
+
  
===Windows 98/ME===
+
* Internet sharing (like [[NAT]]);
* \Windows\user.dat
+
* Traffic compression;
* \Windows\system.dat
+
* Accelerating service requests by retrieving content from cache;
* \Windows\profiles\user profile\user.dat
+
* and many others.
  
== Keys ==
+
Proxy servers are commonly used by individuals who wish to violate network policies.
 +
* In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
 +
* Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).
  
=== Run/RunOnce ===
+
=== HTTP proxies ===
System-wide:
+
 
 +
''These proxy servers are using HTTP.''
 +
 
 +
Example request (direct; with relative URI):
 +
<pre>
 +
GET / HTTP/1.1
 +
Host: cryptome.org
 +
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 +
Accept-Encoding: gzip,deflate
 +
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 +
Keep-Alive: 300
 +
Connection: keep-alive
 +
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
 +
If-None-Match: "e01922-62e9-45937059ec2de"
 +
Cache-Control: max-age=0
 +
</pre>
 +
Example request (using proxy; with absolute URI):
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
GET http://cryptome.org/ HTTP/1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+
Host: cryptome.org
 +
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 +
Accept-Encoding: gzip,deflate
 +
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 +
Keep-Alive: 300
 +
Proxy-Connection: keep-alive
 +
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
 +
If-None-Match: "e01922-62e9-45937059ec2de"
 +
Cache-Control: max-age=0
 
</pre>
 
</pre>
 +
''Note:'' this HTTP request was intercepted on the way to proxy server.
  
Per user:
+
According to RFC 2068 (section 5.1.2):
 
<pre>
 
<pre>
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
The absoluteURI form is required when the request is being made to a proxy.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+
 
</pre>
 
</pre>
 +
''Note:'' proxy server will convert absolute URI to relative URI.
  
== Special cases ==
+
=== HTTPS proxies ===
The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:
+
* special characters key and value names
+
* duplicate key and value names
+
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
+
  
=== special characters key and value names ===
+
''The same as above, but using HTTPS (HTTP over SSL/TLS).''
Both key and values names are case insensitive. The \ character is used as the key separator. Note
+
 
that the \ character can be used in value names. The / character is used in both key and value names.
+
Sometimes HTTP proxies that support CONNECT method are called ''"HTTPS proxies"''. These HTTP proxies can tunnel almost every TCP-based protocol.
Some examples of which are:
+
 
 +
Example request:
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
+
CONNECT home.netscape.com:443 HTTP/1.0
Value: Size/Small/Medium/Large
+
User-agent: Mozilla/1.1N
 
</pre>
 
</pre>
  
 +
=== SOCKS proxies ===
 +
 +
SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
 +
 +
=== Web proxies (CGI proxies) ===
 +
 +
These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
 +
 +
Example GET request from [http://anonymouse.ws/ Anonymouse] (to a web server):
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
+
GET / HTTP/1.0
Value: \Device\Video0
+
Host: [scrubbed server host]:8080
 +
User-Agent: http://Anonymouse.org/ (Unix)
 +
Connection: keep-alive
 
</pre>
 
</pre>
  
 +
Example GET request from [http://www.hidemyass.com/ HideMyAss.com]:
 
<pre>
 
<pre>
Key:
+
GET / HTTP/1.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
+
Host: [scrubbed server host]:8080
Value: SchemaFile
+
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 
</pre>
 
</pre>
  
==Tools==
+
== Proxy detection ==
===Open Source===
+
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
+
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
+
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
+
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
+
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
+
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
+
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
+
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by Andrew Case
+
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by Andrew Case
+
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
+
  
===Freeware===
+
=== Server-side ===
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
+
 
 +
==== New HTTP headers ====
 +
 
 +
Some proxy servers add new HTTP headers to request, for example:
 +
<pre>
 +
GET / HTTP/1.1
 +
Host: [scrubbed server host]:8080
 +
Connection: keep-alive
 +
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*
 +
Accept-Language: ru
 +
UA-CPU: x86
 +
Accept-Encoding: gzip, deflate
 +
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
 +
X-Forwarded-For: [scrubbed client real IP address]
 +
Via: 1.1 proxy11 (NetCache NetApp/5.6.1D24)
 +
</pre>
 +
 
 +
''Note:'' this HTTP request was received from a proxy server using [[netcat]].
 +
 
 +
New HTTP headers are ''X-Forwarded-For'' and ''Via''.
 +
 
 +
==== Mixed HTTP headers ====
 +
 
 +
Some proxy servers mix HTTP headers in the original request (see example above). [[Internet Explorer]] 7 puts ''Host'' and ''Connection'' headers at the end of request, not at the beginning.
 +
 
 +
==== Modified HTTP header values ====
 +
 
 +
Some proxy servers modify HTTP headers replacing the original values (see example above). [[Internet Explorer]] 7 sends header ''Connection: Keep-Alive'', not ''Connection: keep-alive''.
 +
 
 +
==== [[OS fingerprinting]] and User-Agent ====
 +
 
 +
The following ''User-Agent'' header was received by a web server (see example above):
 +
<pre>
 +
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
 +
</pre>
 +
 
 +
The request was generated by using [[Internet Explorer]] 7 (''MSIE 7.0'') on [[Windows]] Vista or [[Windows]] Server 2008 (''Windows NT 6.0'').
 +
However, this connection was initiated with TCP SYN packet with following options:
 +
<pre>
 +
MSS
 +
NOP
 +
NOP
 +
SACK permitted
 +
NOP
 +
Window scale
 +
NOP
 +
NOP
 +
Timestamps
 +
</pre>
 +
 
 +
While [[Windows]] Vista commonly uses these options:
 +
<pre>
 +
MSS
 +
NOP
 +
Window scale
 +
NOP
 +
NOP
 +
SACK permitted
 +
</pre>
  
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
+
This means that:
  
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
+
* User-Agent header was forged;
 +
* The request was sent using a proxy server with different [[OS]].
  
===Commercial===
+
==== Other methods ====
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
+
* [http://mitec.cz/wrr.html Windows Registry Recovery]
+
* [http://registrytool.com/ Registry Tool]
+
  
==Bibliography==
+
* Active detection: see [http://metasploit.com/research/projects/decloak/ Metasploit Decloaking Engine];
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
+
* Comparing source IP address with a list of known proxy servers.
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
+
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
+
  
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
=== On the way to proxy server ===
* [http://www.pkdavies.co.uk/downloads/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
+
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
+
  
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
+
==== Absolute URI ====
  
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
+
HTTP clients (such as web browsers) will only generate them in requests to proxies.
  
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
+
==== Other methods ====
  
==See Also==
+
* Comparing destination IP address with a list of known proxy servers.
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
+
[[Category:Bibliographies]]
+
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
+
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
+
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
+
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
+
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
+
  
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
+
[[Category:Anti-Forensics]]
 +
[[Category:Network Forensics]]

Revision as of 14:38, 17 October 2008

Proxy server is a server which services the requests of its clients by forwarding requests to other servers.

Overview

Proxy servers are widely used by organizations and individuals for different purposes:

  • Internet sharing (like NAT);
  • Traffic compression;
  • Accelerating service requests by retrieving content from cache;
  • and many others.

Proxy servers are commonly used by individuals who wish to violate network policies.

  • In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
  • Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).

HTTP proxies

These proxy servers are using HTTP.

Example request (direct; with relative URI):

GET / HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Example request (using proxy; with absolute URI):

GET http://cryptome.org/ HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Note: this HTTP request was intercepted on the way to proxy server.

According to RFC 2068 (section 5.1.2):

The absoluteURI form is required when the request is being made to a proxy.

Note: proxy server will convert absolute URI to relative URI.

HTTPS proxies

The same as above, but using HTTPS (HTTP over SSL/TLS).

Sometimes HTTP proxies that support CONNECT method are called "HTTPS proxies". These HTTP proxies can tunnel almost every TCP-based protocol.

Example request:

CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/1.1N 

SOCKS proxies

SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.

Web proxies (CGI proxies)

These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.

Example GET request from Anonymouse (to a web server):

GET / HTTP/1.0
Host: [scrubbed server host]:8080
User-Agent: http://Anonymouse.org/ (Unix)
Connection: keep-alive

Example GET request from HideMyAss.com:

GET / HTTP/1.0
Host: [scrubbed server host]:8080
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Proxy detection

Server-side

New HTTP headers

Some proxy servers add new HTTP headers to request, for example:

GET / HTTP/1.1
Host: [scrubbed server host]:8080
Connection: keep-alive
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: ru
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
X-Forwarded-For: [scrubbed client real IP address]
Via: 1.1 proxy11 (NetCache NetApp/5.6.1D24)

Note: this HTTP request was received from a proxy server using netcat.

New HTTP headers are X-Forwarded-For and Via.

Mixed HTTP headers

Some proxy servers mix HTTP headers in the original request (see example above). Internet Explorer 7 puts Host and Connection headers at the end of request, not at the beginning.

Modified HTTP header values

Some proxy servers modify HTTP headers replacing the original values (see example above). Internet Explorer 7 sends header Connection: Keep-Alive, not Connection: keep-alive.

OS fingerprinting and User-Agent

The following User-Agent header was received by a web server (see example above):

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)

The request was generated by using Internet Explorer 7 (MSIE 7.0) on Windows Vista or Windows Server 2008 (Windows NT 6.0). However, this connection was initiated with TCP SYN packet with following options:

MSS
NOP
NOP
SACK permitted
NOP
Window scale
NOP
NOP
Timestamps

While Windows Vista commonly uses these options:

MSS
NOP
Window scale
NOP
NOP
SACK permitted

This means that:

  • User-Agent header was forged;
  • The request was sent using a proxy server with different OS.

Other methods

On the way to proxy server

Absolute URI

HTTP clients (such as web browsers) will only generate them in requests to proxies.

Other methods

  • Comparing destination IP address with a list of known proxy servers.