System Administration and Forensics
Windows Registry & Timeline
[email protected]
Lecture Objectives
1. Windows Registry
– Structure
– Properties
– Examples
2. Timeline Analysis
– Time Zones
– Case Study
The Registry
Road to Central Depository
– config.sys & autoexec.bat
• Windows 3.0
– INI file
• Windows 3.1
– Start of the idea of a central repository
• Windows 95 and beyond
– Establishment and expansion of the registry
Understanding the Windows Registry
• Registry
– A database that stores hardware and software
configuration information, network connections,
user preferences, and setup information
• For investigative purposes, the Registry can
contain valuable evidence
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x
– Regedt32 for Windows 2000 and XP
Organisation and Terminology
• At the physical level
– Files called hives
– Located in: %SYSTEMROOT%\System32\config
• Keys (analogous to folders)
• Values (analogous to files)
• Hierarchy:
– Hives
• Keys
– Values
Hive Properties
• HKEY_USERS – all loaded user data
• HKEY_CURRENT_USER – currently logged on user
• HKEY_LOCAL_MACHINE – array of software and
hardware settings
• HKEY_CURRENT_CONFIG – hardware and
software settings at startup
• HKEY_CLASSES_ROOT – contains information
about application needs to be used to open files
Registry File Locations and Purposes
Windows 7 Root Keys
Registry: A Wealth of Information
Information that can be recovered include:
System Configuration
Devices on the System
User Names
Personal Settings and Browser Preferences
Web Browsing Activity
Files Opened
Programs Executed
Forensic Analysis - Hardware
Forensic Analysis – User ID
• SID (security identifier)
– Well-known SIDs
• SID: S-1-0
• SID: S-1-5-2
Name: Null Authority
Name: Network
– S-1-5-21-2553256115-2633344321-4076599324-1006
string is SID
revision number
authority level (from 0 to 5)
21-2553256115-2633344321-4076599324 - domain or local
computer identifier
• 1006 RID – Relative identifier
• Local SAM resolves SID for locally authenticated
users (not domain users)
– Use recycle bin to check for owners
Forensic Analysis - Software
Windows Security and Relative ID
• The Windows Registry utilizes a alphanumeric
combination to uniquely identify a security principal
or security group.
• The Security ID (SID) is used to identify the computer
• The Relative ID (RID) is used to identity the specific
user on the computer system.
• The SID appears as:
– S-1-5-21-927890586-3685698554-67682326-1005
Forensics Analysis - NTUSER.DAT
• Internet Explorer
– IE auto logon and password
– IE search terms
– IE settings
– Typed URLs
– Auto-complete passwords
Forensics Analysis - NTUSER.DAT
IE explorer Typed URLs
Forensic Analysis – MRU List
A “Most Recently Used List” contains entries made due to specific actions performed
by the user. There are numerous MRU list locations throughout various Registry keys.
These lists are maintained in case the user returns to them in the future. Essentially,
their function is similar to how the history and cookies act in a web browser.
Forensic Analysis – Last Opened
Application in Windows
Forensic Analysis – USB Devices
Registry Forensics
Case Study
(Chad Steel: Windows Forensics, Wiley)
Department manager alleges that individual copied
confidential information on DVD.
No DVD burner was issued or found.
Laptop was analyzed.
Found USB device entry in registry:
Found software key for Nero - Burning ROM in registry
Therefore, looked for and found Nero compilation files (.nrc).
Found other compilation files, including ISO image files.
Image files contained DVD-format and AVI format versions of
copyrighted movies.
Conclusion: No evidence that company information was
burned to disk. However, laptop was used to burn
copyrighted material and employee had lied.
Monitoring the Registry
• The registry is highly complex, and there is not
one single point of reference
• Experimentation allows you as an investigator
to find out for yourself what has occurred
• Real time experimentation helps with postmortem analysis
• Regmon (Replaced by Procmon) from
– Monitors the registry in real time
The RegRipper is an open-source application for extracting, correlating, and
displaying specific information from Registry hive files from the Windows NT (2000,
XP, 2003, Vista and 7) family of operating systems.
Date and Time
System Time
• Determined by booting into the BIOS and
comparing it with an external source
– Radio Signal Clock or Time Server
• CMOS Clock
– Complementary Metal Oxide Semiconductor Chip
– Accessed by most OS to determine the time
Operating System Time
• Is embedded within the file system or high
level file metadata
• Will take into account local time (or not!)
• Can confuse an investigation depending on
tool configuration and time zone
• Will ask for the time from the BIOS CMOS
Program Time
• Programs will ask for the time from the OS
• They can bypass the OS and ask for the time
directly from the BIOS
• It’s important to check and understand where
a program gets its time details from.
OS Time – DOS
MS DOS time/date Format (FAT File System)
Stored as local time
Used for MAC information
32 Bit Structure
Seconds (5 bits from offset 0)
Minutes (6 bits from offset 5)
Hours (5 bits from offset 11)
Days (5 bits from offset 16)
Months (4 bits from offset 21)
Years (7 bits from offset 25)
64 Bit Windows FILETIME
• 64 bit number measuring the number of
100ns intervals since 00:00:00, 1st Jan, 1601
– 58,000 year lifetime
• Stored in the MFT – MAC
C/Unix Time
• 32-bit value
• Number of seconds elapsed since epoch
– 1st January 1970, 00:00:00 GMT
• Limit
– Monday, December 2nd, 2030 and 19:42:58 GMT
Local and UTC time translation
• Coordinated Universal Time (UTC)
– Effectively the same as GMT
• Modern OS calculate the difference between
local time and UTC and store the time/date as
Local Time vs UTC
• 00 DB A2 F7 5C B1 C5 01 (Localtime)
– 127703177299680000
• 00 7B B4 7E 7E B1 C5 01 (GMT)
– 127703321299680000
• Difference:
– 144,000,000,000
• Verify:
– 3,600 s in 1 hour. 14,400 in 4 hours.
– 100 ns = 10 millionth of a s
• 14,400 * 10,000,000
– = 4 hours
Time and the Registry
• ME/XP/Vista/Windows 7
– HKEY_Local_Machine/System/Current
• ActiveTimeBias
– Amount of time (+ or -) to add to UTC
– StandardName - Time Zone
No adjustment required
No adjustment required
GMT – Daylight Saving
Ahead of GMT – therefore a negative value
Case Study – Time and Tools
C. Boyd, P. Forster, “Time and date issues in
forensic computing – a case study”, Digital
Investigation, no. 1, pp. 18– 23, 2004
• Email trace identifies an individual suspected
of involvement in communication of child
abuse images
• Warrant obtained, and Computer equipment
• Relatively simple examination:
– Email traces
– Identification of child abuse images
• During examination, the suspect failed to
provide an explanation for images
• The defence employed an expert to comment
on the evidence
– Supplied with the forensic images of computer
– Police Forensic Statement
Expert Report
‘The defendants computer [ID number] was used to access the Internet after it
was seized and was in police custody. Approximately 750 records of Internet
access are time stamped during the six hours or so after the computer was
‘pages accessed included Hotmail login pages and possible child
pornography site. Floppy diskettes were also used.’
‘There is substantial evidence that is consistent
with the Defendant’s computer [ID
number] being altered while it was in police
‘However I am sure that there are so many
grave problems with this evidence, and with
all the computer evidence submitted by the
prosecution, that the Court cannot safely rely
on it.’
What went wrong?
• Did the police frame the suspect?
• Did the examiners commit the sin of booting
the system while the machine was in their
Tool/Examiner Error
• Encase v4 to extract the time bias
• The system was set to an ofset of 0x00001e1
(+480 minutes) or Pacific Standard Time (PST)
• NetAnalysis to perform the internet browsing
– It was not configured with the correct bias
• It looked as if the files were opened after the
system was in custody.
Checklist for Date/Time Evidence
• Identify the type of time structure being used
to represent local time or UTC
• Look for corroboration in the form of
additional times, dates and activities on the
computer and away from it
• Test your results using the same operating
systems and application versions that are
present on the computer being examined
Final Thoughts
• Tools being used were easy to access, but
highlighted a lack of fundamental knowledge
on the part of the examiner
• Experimentation and testing are key to strong

similar documents