Book Review: Windows Registry Forensics 2E

 I had the opportunity to read Harlan Carvey’s second edition of windows registry forensics through a kindle purchase and a hard copy that Harlan was awesome enough to give away when I asked for his feedback on my first blog post. (Thanks Harlan!) Given that a short review is available on Amazon I wanted to expand on that review further.

In the first chapter Harlan lays out,

            -The structure of the registry and nomenclature

-Analysis concepts and examples of how the operating system (Windows) uses the registry.

            -Location of registry hives (SYSTEM,SOFTWARE, NTUSER, USRCLASS, etc.)

            -Registry redirection and virtualization (32bit vs 64bit OS architecture impact)

The takeaway from this chapter is for the analyst to understand how the registry structured, where things are as these bits of information will be useful in later chapters. Harlan sprinkles in some anecdotes (see tip, note and warning sections)

In chapter two a brief overview of tools such as Microsoft’s regedit, Mitec Windows Registry Recovery, Registry Explorer, AutoRuns, Mandiant’s shimcache parser, Userassist (Stevens) and Regripper. Deleted keys and values are also discussed along with a perl tool called reglack by Jolanta Thomassen. The main takeaway that I got from this chapter is that there are many tools out there that can help you view or parse the registry but the analyst must choose what tool to use based on the analysis at hand.

In chapter 3 the concept of artifact categories is discussed along with analysis of the Security, SAM, SYTEM, SOFTWARE and AmCache hives.

Security

In this section/hive we can find the audit policy settings of a computer. How is this useful? Well this would help in identifying the reason why certain event Ids are not seen if you retrieved a copy of the event logs and would be a great place to start and review before attempting to run tools that parse out specific event IDs from the event logs.

Another key from this hive is the last write time of the policy\secrets key which could indicate possible use of the GSecDump (credential theft tool). Granted this needs further context from other time stamped sources of information but could provide a pivot point to use when hunting for this tool on endpoints.

SAM

In this hive we can find

              -Local user information details

                           Account creation, last login

              -Local group memberships

              users are presented in SID format

How is this useful? As in the case of finding the audit policy we can use this information to profile a system. For example, what user accounts are members of the local administrators groups? Finding suspicious non-standard local user accounts.

The anecdotes in this section are quite useful.

System

Some key takeaways from this section/hive

     -System Name

              Make sure you are analyzing the right system

     -Prefetch settings

          Is it enabled?

     -ShimCacher (Appcompat)

       The application compatibility feature in windows keeps tracks of executable that require                      shimming for compatibility reasons and stores information in the registry.

      -Windows services

      Information such as file paths and services names is recorded in this hive an attention to non-               standard paths can help in identifying suspicious services.

      -Legacy_*Keys (Windows XP)

       Can be used to correlate when a service starts and stops, to be used in conjunction with other              keys that provide service info.

Other useful information is found in this section and I’ll stop here so that future readers of the book can explore.

Software

In this section/hive we can find the following takeaways

       -Profiles

          What user profiles are on the system (local and domain)

      -Windows version

          Are we dealing with windows XP, 7, 8, 10?

       -Installed Software

          uninstall key

        -Run Key

         Used by legitimate and malicious programs as persistence mechanism. The executable will                 start at system start up. (Be mindful of registry redirection)

        -Image File Execution Options

         You can add a “debugger value” to another program, attackers like to use this for the sticky                 keys method of persistence.

Again I will stop here and allow future readers to explore.

AmCache

An overview is provided of the AmCache artifact and I will leave it to future readers to explore J

Chapter four discusses the NTUSER and USRCLASS hives, key takeaways

    -User Assist Keys

          Keeps track of items that are double clicked through explorer.

   -Program Compatibility Assistant

            Similar to shimcache

    -Run Keys

Note that these executable(s) are launched when a user logs in unlike those found under the   Software registry hive

-File Acces
Several keys are discussed that provide information on files accessed by the user profile, also keywords used in searches through windows explorer.

-File Association
Useful when finding artifacts of a suspicious extension type, this key can provide information on how the system is configured to handle the extension type. ie. is .mp4 handled by windows media player or VLC?

-Shellbags

I may be wrong in my understanding and please excuse if this explanation is wrong. This artifact has to do with windows explorer and in relation to windows size and usability. This information is stored in the NTUSER hive (XP) and USRCLASS (Win 7+) and can help in identifying folder traversal, control panel applet access and FTP artifacts.

             

Chapter five discusses regripper and explains what it is and how to use it. Note that throughout the previous chapters several regripper plugins are discussed which hopefully will allow you to use the tool based on your analysis needs.

I really enjoyed the book and definitely recommend it to anyone in the DFIR field as a must read. Especially if you have seen presentations at conferences discussing shimcache, shellbags, and stories of how incident responders were able to figure out what the attacker did on a system. Pay close attention to setting analysis goals and on chapters three and four as these will help in that regard. This book will assist in strengthening your DFIR skills and some of this information once understood can help you start hunting for evil in your environment.

TL;DR… from my Amazon review

“The book provides a detailed discussion on the structure of the registry, its keys and relevancy to digital forensics & incident response (DFIR). The author also focuses on presenting examples and use cases on how the reader can leverage information in the registry as part of an analysis. Discussion of tools is given and the tools presented are free and some are open source which you can modify if you understand the programming language they are written to fit your needs. The author dedicates a chapter on regripper, a tool that he wrote to parse registry hives and serves as a mini manual. After reading the previous chapters, hopefully the reader will understand the flexibility of the tool and how one can expand functionality. Overall the author does a great job in presenting the information, although short (191 pages) the content is targeted at what can bring value to the reader/analyst. I recommend to all who work in the DFIR field or are starting to.”