Skip to main content

Windows Registry Analysis For Evidence( Cyber Forensics)


Windows registry analysis is an integral part of generating or gathering evidence against cyber crimes. Every operating system has its own file system and its own registry. The registry is a database of stored configuration information about the users, hardware, and software on a Windows system. Although the registry was designed to configure the system, to do so, it tracks such a plethora of information about the user's activities, the devices connected to system, what software was used and when, etc. All of this can be useful for the forensic investigator in tracking the who, what, where, and when of a forensic investigation. 
In Case of windows registry, there are root folders. These root folders are referred to as hives. There are five (5) registry hives.
1. HKEY_USERS: contains all the loaded user profiles
2. HKEYCURRENT_USER: profile of the currently logged-on user
3. HKEYCLASSES_ROOT: configuration information on the application used to open files
4. HKEYCURRENT_CONFIG: hardware profile of the system at startup
5. HKEYLOCAL_MACHINE: configuration information including hardware and software settings

There are five root keys or hives and then subkeys. In some cases, you have sub-subkeys. These subkeys then have descriptions and values that are displayed in the contents pane. Very often, the values are simply 0 or 1, meaning on or off, but also can contain more complex information usually displayed in hexadecimal.
We can check and access the registry by using the Regedit utility built into Windows. Simply type regedit in the search window and then click on it to open the registry editor or can write regedit.exe in the Run .


As a forensic investigator, the registry can prove to be a treasure trove of information on who, what, where, and when something took place on a system 

  • Information that can be found in the registry includes:
  • Users and the time they last used the system
  • Most recently used software
  • Any devices mounted to the system including unique identifiers of flash drives, hard drives, phones, tablets, etc.
  • When the system connected to a specific wireless access point
  • What and when files were accessed
  • A list any searches done on the system
The Information mentioned above are just small set of information's that can be extracted from registry. A person who knows how to check registry and do analysis on it can easily tell all the activities that have been performed in the system in the past. 
Examples:-
1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles
There, you will find a list of GUIDs of wireless access points the machine has been connected to. When you click on one, it reveals information including the SSID name and the date last connected in hexadecimal. 
2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
This registry will show the most recently used Word documents would be found under .doc or the .docx extension depending upon the version of Word they were created in (each key can hold up to the last 10 documents). If we go to the .docx extension, we see the last 10 Word documents listed under this key.
3. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

User typed URL in Internet Explorer and their value is stored in this registry. 
Similarly there are lots of information's that you can find inside a registry hence, it is highly suggested to explore them with a preferred idea or objective in the mind and obtain the information.
Labels:

Comments

Post a Comment

Popular posts from this blog

Wireless /Wifi(WEP/WPA/WPA2) Password Cracking Using Dictionary Attack With Aircrack-ng (Kali Linux)

Tools Used:-Aircrack-ng In the present context of networking, WEP is not used cause it is the weakest and easy to crack through the network. WEP/WPA2 are the most used encryption tools to secure the wireless connection.   The most common way of getting past or cracking through WEP and WPA secured wireless connection is through the use of captured handshake. When you want to hack wifi, you need to capture “handshake”. The handshake is the connection of personal computer and wireless network, it is when network packet and personal computer packets meet each other. If you capture handshake then with a handshake you do not need to be in wifi range anymore, you can hack password with handshake and wifi name. Now you need to capture all the packets that are sent through the wifi router and all personal computers in the network . Step1: airmon-ng  This step is done before anything else is done in order to know your wifi interface name. Check the running process and  ...
1 comment
Read more

Making Own Dictionary Using Crunch Commands For Dictionary Attack (Kali linux Tool)

Making own dictionary from words not listed in the normal English dictionary can be helpful specially for people who want to crack passwords based on some person's name, surname or native language words( Example Nepali word, Hindi Word etc). Since most of the word list that are used to hack into a system or crack passwords contain words from English dictionary, passwords such as name of person, surname of person, pet-name and specially words of native language aren't included in that word list as they aren't defined in the English dictionary. This is one the most crucial drawback of dictionary attack. Apart from selective words problem, dictionary attacks usually take lot of time cause they attempt all the words present in the word-list as passwords to crack the authentication system. If we make our own dictionary then it will also help in saving time. But making our own dictionary can only be helpful to only those people who have a hint to what the password might be an...
1 comment
Read more

SQL Injection Attack Using SQLMAP Tool In Kali Linux

In current context of digitized  world where everything is done over internet, lot of information can be found online. The data can either be private to people or can be public to everyone with no privacy. Everyday lots of data are getting stored in different databases of different websites throughout the world and it is becoming harder to store and protect the data from evasion at the same time. Unauthorized access to such databases can lead to leak of large amount of confidential information related to a person or even an organization. Hackers tend to steal a lot of information through such database by getting either getting authorized or unauthorized access. One of the most common method to get an access to the information's available in a websites database is SQL injection based attacks.  SQL Injection is a type of an  injection  attack that makes it possible to execute malicious SQL Statements.  With the right set of queries, a user can gain access, u...
Post a Comment
Read more