Difference between pages "Upcoming events" and "Windows Registry"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(See Also)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
==File Locations==
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
The Windows Registry is stored in multiple files.
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
===Windows NT 4 ===
 +
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
  
This listing is divided into three sections (described as follows):<br>
+
Basically the following Registry hives are stored in the corresponding files:
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
 +
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
 +
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
 +
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
  
== Calls For Papers ==
+
===Windows 98/ME===
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
* \Windows\user.dat
 +
* \Windows\system.dat
 +
* \Windows\profiles\user profile\user.dat
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
== Keys ==
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|The Sixth International Workshop on Digital Forensics (WSDF 2013)
+
|Apr 02, 2013
+
|May 02, 2013
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
+
|-
+
|5th International Conference on Digital Forensics & Cyber Crime (ICDF2C 2013)
+
|Apr 30, 2013
+
|Jun 01, 2013
+
|http://d-forensics.org/2013/show/cf-papers
+
|-
+
|New Security Paradigms Workshop (NSPW)
+
|TBD
+
|TBD
+
|http://www.nspw.org/2013/cfp
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
=== Run/RunOnce ===
 +
System-wide:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 +
</pre>
  
== Conferences ==
+
Per user:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
! width="40%"|Title
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
! width="20%"|Date/Location
+
</pre>
! width="40%"|Website
+
 
|-
+
== Special cases ==
|CERIAS 14th Annual Information Security Symposium
+
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
|Apr 03-04<br>West Lafayette, IN
+
* special characters key and value names
|http://www.cerias.purdue.edu/site/symposium2013
+
* duplicate key and value names
|-
+
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
|8th Annual Workshop on Digital Forensics and Incident Analysis (WDFIA)
+
 
|May 08-10<br>Lisbon, Portugal
+
=== special characters key and value names ===
|http://www.wdfia.org/default.asp
+
Both key and values names are case insensitive. The \ character is used as the key separator. Note
|-
+
that the \ character can be used in value names. The / character is used in both key and value names.
|European Information Security Multi-Conference (EISMC 2013)
+
Some examples of which are:
|May 08-10<br>Lisbon, Portugal
+
<pre>
|http://www.eismc.org/
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
|-
+
Value: Size/Small/Medium/Large
|IEEE Symposium on Security & Privacy
+
</pre>
|May 19-23<br>San Francisco, CA
+
 
|http://www.ieee-security.org/TC/SP2013/index.html
+
<pre>
|-
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
|International Workshop on Cyber Crime
+
Value: \Device\Video0
|May 24<br>San Francisco, CA
+
</pre>
|http://stegano.net/IWCC2013/
+
 
|-
+
<pre>
|Techno Security and Forensics Investigation Conference
+
Key:
|Jun 02-05<br>Myrtle Beach, SC
+
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
|http://www.thetrainingco.com/html/Security%20Conference%202013.html
+
Value: SchemaFile
|-
+
</pre>
|Mobile Forensics World
+
 
|Jun 02-05<br>Myrtle Beach, SC
+
=== codepaged ASCII strings ===
|http://www.techsec.com/html/MFC-2013-Spring.html
+
 
|-
+
Value with name "ëigenaardig" created on Windows XP codepage 1252.
|ADFSL 2013 Conference on Digital Forensics, Security and Law
+
 
|Jun 10-12<br>Richmond, VA
+
<pre>
|http://www.digitalforensics-conference.org/index.htm
+
value key data:
|-
+
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00  vk..F...  .......
|FIRST Conference
+
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00  ..in.ige naardig.
|Jun 16-21<br>Bangkok, Thailand
+
00000020: 55 4e 49 43                                        UNIC
|http://conference.first.org/2013/
+
 
|-
+
value key signature                    : vk
|The 1st ACM Workshop on Information Hiding and Multimedia Security
+
value key value name size              : 11
|Jun 17-19<br>Montpellier, France
+
value key data size                    : 0x00000046 (70)
|http://ihmmsec.org/
+
value key data offset                  : 0x001a9820
|-
+
value key data type                    : 1 (REG_SZ) String
|28th IFIP TC-11 SEC 2013 International Information Security and Privacy Conference
+
value key flags                        : 0x0001
|Jul 08-10<br>Auckland, New Zealand
+
        Value name is an ASCII string
|http://www.sec2013.org/
+
 
|-
+
value key unknown1                      : 0x6e69 (28265)
|Symposium On Usable Privacy and Security
+
value key value name                    : ëigenaardig
|Jul 24-26<br>Newcastle, United Kingdom
+
value key value name hash              : 0xb78835ee
|http://cups.cs.cmu.edu/soups/2013/
+
value key padding:
|-
+
00000000: 00 55 4e 49 43                                    .UNIC
|DFRWS 2013
+
</pre>
|Aug 04-07<br>Monterey, CA
+
 
|http://dfrws.org/2013
+
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
|-
+
 
|Regional Computer Forensics Group GMU 2013
+
==Tools==
|Aug 05-09<br>Fairfax, VA
+
===Open Source===
|http://www.rcfg.org
+
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]]
|-
+
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
|6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '13)
+
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
|Aug 12<br>Washington, DC
+
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
|https://www.usenix.org/conferences?page=1
+
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
|-
+
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
|8th USENIX Workshop on Hot Topics in Security (HotSec '13)
+
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
|Aug 13<br>Washington, DC
+
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]]
|https://www.usenix.org/conferences?page=1
+
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]]
|-
+
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
|22nd USENIX Security Symposium - USENIX Security '13
+
* [[Registryasxml]] - Tool to import/export registry sections as XML
|Aug 14-16<br>Washington, DC
+
 
|https://www.usenix.org/conference/usenixsecurity13
+
===Freeware===
|-
+
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
|6th International Workshop on Digital Forensics (WSDF 2013)
+
 
|Sep 02-06<br>Regensburg, Germany
+
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
+
 
|-
+
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
|New Security Paradigms Workshop (NSPW)
+
 
|Sep 09-12<br>The Banff Center, Canada
+
===Commercial===
|http://www.nspw.org/current/
+
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
|-
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
|5th International Conference on Digital Forensics & Cyber Crime
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
|Sep 25-27<br>Moscow, Russia
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
|http://d-forensics.org/2013/show/home
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
|-
+
* [http://arsenalrecon.com/apps Registry Recon]
|VB2013 - the 23rd Virus Bulletin International Conference
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
|Oct 02-04<br>Berlin, Germany
+
* [http://mitec.cz/wrr.html Windows Registry Recovery]
|http://www.virusbtn.com/conference/vb2013/index
+
* [http://registrytool.com/ Registry Tool]
|-
+
 
|}
+
==Bibliography==
 +
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 +
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
 +
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
 +
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], by Derrick Farmer, Burlington, VT.
 +
 
 +
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 +
 
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 +
 
 +
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
  
 
==See Also==
 
==See Also==
* [[Training Courses and Providers]]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
==References==
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 +
 
 +
=== Windows 32-bit on Windows 64-bit (WoW64) ===
 +
* [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
 +
 
 +
=== Tools ===
 +
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 +
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
 +
 
 +
[[Category:Windows Analysis]]
 +
[[Category:Bibliographies]]

Revision as of 01:26, 29 April 2013

Contents

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Keys

Run/RunOnce

System-wide:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Per user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Tools

Open Source

Freeware

  • cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.

Commercial

Bibliography

See Also

Windows 32-bit on Windows 64-bit (WoW64)

Tools

  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.