Forensic Focus - Computer Forensics, Computer Forensic Training, Digital Forensics
LoginRegisterForumsColumnistsPapersEducationGraduatesReviewsInterviewsNewsletterJobsEventsBlogAdvertise
Search Forensic Focus
Custom Search

Find us on Facebook
Follow Forensic Focus on Twitter
Columnists
"I erred." "I was mistaken."
Craig Ball
Single Sign On
Simon Biles
Copyright and games console modification
Dan Gaskell
To GUI or not to GUI?
Chris Hargreaves
'Web 2.0' as evidence
Sean McLinden
Sometimes it’s all about timing
Sam Raincock
Avoiding common job application errors
David Sullivan
Scalability: A Big Headache
Dominik Weber
Graduate Recruitment

computer forensics graduate jobs

Main Menu
MY ACCOUNT
COMMUNITY
EMPLOYMENT
EDUCATION
RESOURCES
MISC
Follow Forensic Focus

Join newsletter

Join LinkedIn group

Follow on Twitter

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Members' blogs

External feeds

Bookmark & share: Bookmark and Share

Computer Forensics Newsletter
Newsletter

You must be a
registered user
to receive our newsletter

Register Now!

Forensic Analysis of the Windows Registry

Page: 7/16

Different Encoding

Suspect may store text-based information using value type REG_BINARY. This technique however does not hide data, as tool like hex editors automatically interpret binary data into readable format (usually ASCII). Using different encoding technique to store data, such as using Unicode instead of ASCII does not improve stealthiness, if suspect only uses common English characters. For instance ASNI ASCII for "pass" is 0x70 0x61 0x73 0x73. While Unicode (16-bit) encoding translate into 0x70 0x00 0x61 0x00 0x73 0x00 0x73 0x00 (Windows stores 16-bit characters in little-endian format). Examiner could easily find the word "pass" using tools that features text finding using different encoding format. Suspect may substitute the 0x00 with random binary numbers to improve stealthiness. However, forensic examiner could still analyse the suspicious text at different intervals (e.g. even or odd characters position) and derive possible meaningful information from the incident context.

A better way to hide data is to encode text-based information into binary format in hexadecimal notation and stored the binary form in registry values as string using type REG_SZ. For instance, storing string 70 61 73 73 (hexadecimal notation for "pass" in ASCII) in the REG_SZ registry value. Thus, only the suspect knows how to decode it. However, this technique requires a simple piece of code to encode the text before storing it into the registry, and to decode the binary data to its readable form when retrieving it. It is not-trivial for forensic examiner to find such hidden data as the binary data (encoded text in hexadecimal form) is stored as it is in the registry, and binary data is common in registry.

Registry Editor Implementation Flaw

Windows 2000 and XP Registry Editor (regedit.exe or regedt32.exe) have an implementation flaw that allows hiding of registry information from viewing and editing, regardless of users access privilege (Secunia, 2005). The flaw involves any registry values with name from 256 to 259 (maximum value name) characters long. The overly long registry value (regardless of type) not only hides its own presence, but also subsequently created values (regardless of type) in the same key (Franchuk, 2005). The editor stops displaying the remaining of the values thinking the overly long value as the last value in that key. Suspect could exploit such Registry Editor flaw to hide information.

This vulnerability allows malware to hide malicious code in "autorun" entries such as the infamous HKLM\Software\Microsoft \Windows\CurrentVersion\Run. Any program or components specified in this key will be automatically run during system startup. Windows will still execute these hidden entries successfully at startup (Wesemann, 2005).

Some common malware scanners are not able to detect such maliciously crafted registry values (Gregg, 2005). Fortunately, Windows console registry tool (reg.exe) can display overly long registry values. For instance, to detect values in registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run, the instruction is reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run.






Previous Page Previous Page (6/16) - Next Page (8/16) Next Page


Forensic Education

computer forensics education choices COURSE DIRECTORY

User Info

Welcome Anonymous

Nickname

Membership:
Latest: vanya66
New Today: 7
New Yesterday: 19
Overall: 15536

People Online:
Members: 6
Visitors: 23
Bots: 6
Staff: 0
Staff Online:

No staff members are online!
Latest Jobs

Computer Forensic - Associate - London - £45,000-£55,000pa+
Last post by ForensicsRecruiter in Computer Forensics Job Vacancies on Sep 01, 2010 at 14:34:53

Computer Forensic Specialist - Team Lead - London £55-£80k+
Last post by ForensicsRecruiter in Computer Forensics Job Vacancies on Sep 01, 2010 at 14:23:04

COMPUTER FORENSIC/EDISCOVERY CONTRACT ROLE, LONDON 4-8 WEEKS
Last post by ScottBurkeman in Computer Forensics Job Vacancies on Aug 27, 2010 at 16:29:03

Computer Forensic Vacancy South Wales
Last post by stezer2000 in Computer Forensics Job Vacancies on Aug 19, 2010 at 09:41:54

CF Investigator (LE experience). London
Last post by DavidSullivan in Computer Forensics Job Vacancies on Aug 18, 2010 at 17:00:41

Computer/Video Forensic Examiners (Fredericksburg, VA, USA)
Last post by snorris in Computer Forensics Job Vacancies on Aug 18, 2010 at 00:09:50

Senior Forensic Computer Examiner - London
Last post by pgro in Computer Forensics Job Vacancies on Aug 17, 2010 at 13:26:19

Phd studentship available at University of Surrey.
Last post by apurva.rustagi in Computer Forensics Job Vacancies on Aug 16, 2010 at 22:52:52

Consultant- London- £25K-£40K
Last post by Teval in Computer Forensics Job Vacancies on Aug 05, 2010 at 07:37:45

Forensic Consultant - Singapore
Last post by darrencerasi in Computer Forensics Job Vacancies on Aug 05, 2010 at 01:00:18

Computer Forensics Blog
· 'Web 2.0' as evidence
· Scalability: A Big Headache
· Single Sign On
· Authentication and Authorisation
· UK student competition: Win free training on "Investigating Connection Records" course
· 10% Discount on Connection Records/Intro to CSA Training (UK)
· Mobile Forensics Training: Investigating Connection Records (UK, Aug 23/24)
· Windows Search forensics
· Computer Forensics - sometimes it’s all about timing
· Forensic Focus 2010 survey

read more...
Members' Blogs

Start Blogging

What is Computer Forensics?
Computer forensics (or forensic computing) is the use of specialized techniques for recovery, authentication, and analysis of electronic data with a view to presenting evidence in a court of law.
Computer Forensics Downloads
  1: Forensic Examination of Digital Evidence: A Guide for Law Enforcement (pdf)
  2: ACPO Good Practice Guide for Computer based Electronic Evidence
  3: Electronic Crime Scene Investigation: A Guide for First Responders (pdf)
  4: Ancysoft Data Recovery Software
  5: Forensics Plan Guide & Forensic Cookbook
  6: HELIX incident response CD
  7: PDA Forensic Tools:An Overview and Analysis
  8: Recover My Files
  9: Autopsy Forensic Browser Version 2.03 (source code)
  10: Handy Recovery
Forensic Focus

Forensic Focus

Copy and paste the text below to insert the button displayed above on your site. Thanks for your support!


Use of this website signifies your agreement to the Terms of Use/Privacy Policy available here.

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2010 Forensic Focus


Interactive software released under GNU GPL, Code Credits, Privacy Policy
.: fisubsilver shadow phpbb2 style by Daz :: CPG-Nuke port by norseman :: ported to CPG-Dragonfly by jamin :.